General Data Protection Regulation (GDPR)

Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

The General Data Protection Regulation (GDPR) of the European Union (EU) is a law that regulates the handling of personal data and outlines the rights individuals have with regard to their data. It was implemented on May 25, 2018. It applies to any “individual, company, or organisation” that processes the data of a person in the EU. This applies whether the organization is based in the EU or elsewhere.

The purpose of the GDPR

The European Union views the protection of personal data as a fundamental right of natural persons. The GDPR establishes requirements of organizations that process data, defines the rights of individuals to manage their data, and outlines penalties for those who violate these rights.

To better understand the GDPR, you should know what qualifies as personal data and data processing.

Personal data

Think of personal data as any information that can be used to identify someone or is associated directly or indirectly with a living individual. This includes a person’s name, driver’s license number, location data, IP address, biometric data, and more.

Processing

Processing is a broad term that encompasses nearly any use of personal data, including collection, storage, organization, alteration, destruction, and transmission. For all intents and purposes, any use of personal data is considered processing.

GDPR requirements

Under the GDPR, an organization processing personal data acts as either a controller or a processor. A controller determines the purpose for processing the data. Whether the controller processes the data itself or contracts another party to do the processing, the controller decides how the data are used. A processor processes data only on behalf of the controller. The sole objective of the processor is to process the data for the controller.

For example, imagine a law office that conducts virtual office consultations using Twilio Video. The video calls could contain many pieces of personal information shared between the clients and attorneys. With regard to all the data shared during the consultations, the law practice is the controller, and Twilio is the processor. The law office determines how to use the clients’ information. However, Twilio manages the transmission of the data. The law practice controls the personal data by determining a specific use for the data. Twilio handles the processing by providing the technical infrastructure to facilitate the video call.

Many organizations are both controllers and processors. For example, Twilio is a processor on behalf of its customers’ content, but it is also a controller with respect to the data it processes for its own business needs—like billing, marketing, and HR functions.

Data processing compliance

In order to be GDPR compliant, an organization cannot collect more data than it needs to achieve a specific lawful purpose. This means that data shouldn’t be collected simply because the data might be useful in the future. Once the original purpose for processing data has been served, the data must be deleted or anonymized as soon as possible.

Data and processing records should also be kept up to date, and all processing should be done securely using encryption and other data handling best-practices. If something does go wrong, and there’s a data breach that creates a risk to the privacy rights of individuals, the organization has to notify its supervisory authority of that breach within 72 hours of becoming aware of it.

There are some exceptions to these rules, and this text is not meant to be comprehensive. Complete information is available in Chapter IV of the GDPR legal text.

Summary of processing requirements

  • Data must be collected for a specific, lawful purpose
  • Data must be accurate and kept up to date
  • Data must be deleted or anonymized as soon as possible after the purpose for processing has been served
  • Data should be processed securely
  • A data breach should be communicated within 72 hours

Rights of a data subject

As an individual, you have the right to be informed about how your data will be processed and for what purpose. You can also request that your personal data be updated or even erased in certain circumstances. If you want to move your data to another system, you are free to do so. Your data will be provided to you in a common machine-readable format that other organizations can understand.

Information about your personal data must be communicated to you in plain and transparent language. This means you shouldn’t have to scroll through legalese that obfuscates the true use of your data. Again, this is just an overview. For more about the rights of a data subject, see Chapter III of the full GDPR text.

Summary of data subject rights

  • Communication will be made in plain and transparent language
  • How and why personal data are used by a controller must be communicated to the data subject
  • Data subjects have the right to correct or delete their data
  • Data subjects may transfer their data to another system

Twilio and the GDPR

At Twilio, we view the GDPR as another opportunity to develop trust and put our customers first. In addition to having a Privacy team and implementing Privacy by Design principles, we apply GDPR standards to all the data we control and process. For more information, please visit our GDPR page.

What’s Next?

Secure communication is easier than you might think. Send your first Twilio powered SMS or Voice message with one of our quickstarts today. Want to know more about GDPR? Listen to Twilio Data Protection Officer Sheila Jambekar’s talk at SIGNAL London 2017.

Rate this page: