Twilio’s API documentation recently received a new feature: text and symbols to the field descriptions that clarify what is and is not personally identifiable information (PII). We know developers don’t always read privacy policies, but they do read API documentation.
Ensuring appropriate data protection for personal information processed through the Twilio platform is necessarily a shared responsibility between you, our customer, using Twilio’s Platform and Twilio, as the provider of the platform. We are sharing the updated documentation with PII field information as one part of our work on GDPR compliance.
PII Field Information
We know that Twilio’s GDPR compliance is just part of the journey for your application and your company to be compliant with the new regulations. As you use Twilio and make it part of your technology stack, we want to make it as easy as possible for you to comply with GDPR as part of …
Twilio often receives questions about the locality of data we process for our customers – where data is being stored depending on where it originates. Businesses all over the world use and trust Twilio, and they interact with their users also everywhere in the world.
In new world of GDPR, the question of “where are you keeping my data” is coming up even more. And, that question, (particularly, if you’re a small shop) may also be getting you down. Maybe you’ve built your app on Twilio’s platform or use other non-European Union based service providers. Maybe your own operations are not based in the EU, but you have lots of EU-based users. Even the spectre that you might have to re-architect your app and invest in new infrastructure in the EU just to make sure EU personal data stays in the EU could feel like an existential threat.
Unfortunately, there …
Our first leadership principle is to “wear the customer’s shoes.” We want to make sure that we meet the standards that our customers expect from us — not just by building awesome products, but also by ensuring that our platform supports their compliance needs.
Trust is also paramount to our customers. According to Twilio CEO, Jeff Lawson, “…trust is the #1 thing on the cloud, so we will be taking GDPR as an opportunity to raise the bar for data protection worldwide.”
Scoping a task like GDPR compliance is the first step in tackling what needs to be done. And given the scope of GDPR regulations, that journey to compliance may seem challenging. We’re here to help you navigate and to that end, we’ve prepared a host of resources to help your team prepare for GDPR including a whitepaper, FAQ, video, and a series of blogs.
In addition to …
- How to make sure you are GDPR-compliant as a Twilio customer.
- Steps to take right now for each of the most relevant areas of the GDPR.
- Data protection practices you need to consider for the future.
What Twilio is doing
In a previous blog post, I looked at what we’re doing inside of Twilio to make us GDPR-compliant. As a product manager, I look at what we’re doing as the start of what you’ll need to do to ensure you’re compliant in time for the deadline. As a company that powers millions of conversations, part of our job is to help you be compliant when using Twilio as your platform.
So as we work on the features, documentation, and processes, what can you do to make sure you’re compliant? And how will you prove it?
Whether your customers include EU businesses or EU residents (and keep in mind, you …
The General Data Protection Regulation (GDPR) makes the law (at least, in relation to EU personal data) what privacy professionals have been saying for years—think about privacy concerns (like collecting as little personal data as necessary and safely getting rid of personal data when it is no longer needed) when designing products and services that involve the handling of personal data. GDPR calls this “Data Protection Privacy By Design and Default.”
So, what do I, as a security professional have to say about this? Well, I say, “This sounds familiar.” And it should. It’s just the security development lifecycle (SDL)—“Secure By Design, By Default and In Deploy” —with a privacy spin. The commonality is how “design” is given primacy in both approaches.
Are both design practices—privacy AND security by design—required? On principle, we (and any other security-minded product company) would say “absolutely!”
But, while GDPR explicitly requires “privacy …
- Five major product requirements for GDPR-Compliance.
- What Twilio is doing about GDPR.
- New data protection features.
You may have already seen Twilio’s blog post series from our Lead Privacy Counsel about the GDPR. These posts cover the legal side of this new regulation, and include such details as “What is the GDPR?” and whether you, Twilio, both, or neither a “controller or processor.” However, you may still be wondering, what exactly is Twilio doing for you? How do you know that you can trust Twilio with your data? Or, if you just aren’t sure what you should be doing yourself, what kinds of things is Twilio doing?
I’m a product manager at Twilio and our product teams are working hard to make sure your use of Twilio will support you becoming GDPR compliant in 2018. There a bunch of work to make us GDPR compliant, but …
Welcome to Part 3 of our series discussing the General Data Protection Regulation (GDPR). With this post, we’re going to dig into some key concepts in the legislation.
(If you’re asking yourself, “What is this GDPR thing?” It’s a major piece of legislation coming out of the European Union (EU) which regulates the processing of personal data and it could significantly impact your business regardless of where your organization is based. The GDPR will become enforceable on May 25, 2018. For more information, check out Part 1 and Part 2 of our blog post series on GDPR and the session from SIGNAL London, “GDPR and Beyond: Data Protection at Twilio.”)
Before we get started, I want to give you fair warning—this post is going to get into some legal-ish stuff. But, bear with me here. These concepts are an important foundation for understanding your and Twilio’s obligations with …
- Does GDPR apply to you or your business?
- What’s the intent of GDPR?
- What happens if you don’t comply?
Compliance is often a topic of discussion for many of our customers, but one compliance item that hasn’t quite made it onto everyone’s radar just yet is the General Data Protection Regulation (GDPR)—a major piece of legislation coming out of the European Union (EU) that could severely impact your business whether your organization is based in the U.S. or abroad. This legislation replaces the original EU Data Protection Directive (Directive).
The GDPR will take effect on May 25, 2018, and Twilio is committed to ensuring our platform is compliant by then.
Now you may be wondering…
If you process personal data of EU individuals, then the answer is most likely yes. If your business is established in the EU, the GDPR …
- Twilio is committed to being GDPR compliant by May 25, 2018.
- New data processing addendum for customers.
- Additional GDPR guidance materials coming soon.
At Twilio, we’re keenly aware that organizations who process personal data of people in the EU need to be sure their service providers support compliance with the General Data Protection Regulation (GDPR). That’s why we are committed to ensuring our platform is GDPR-compliant by May 25, 2018, when GDPR becomes enforceable.
Our first leadership principle is to “wear the customer’s shoes.” This leadership principle is so fundamental to who we are that we actually have customers’ shoes hanging on the walls at our headquarters. No joke. So, while we love developing new features and products to help unlock your communications innovations, we understand that if our platform doesn’t support your compliance needs, those new features and products don’t mean much.
Furthermore, Twilio welcomes GDPR as an …