Posted on January 5, 2018 by staff

Twilio: Five steps to GDPR compliance


Sheila Jambekar, associate general counsel at Twilio and the company’s GDPR spokesperson, shares five key ways to become compliant as GDPR grows closer.

The San Francisco-based company is a cloud communications as a service platform.

Founded on the idea that ‘everyone has the right to protection of personal data’, GDPR is a major piece of legislation coming out of the European Union (EU). It comes into effect in May this year.

According to a recent survey 25 per cent of organisations in the UK are unprepared for the upcoming General Data Protection Regulation (GDPR).

Twilio says that companies can prepare by laying out the categories of the personal data that they process, for example, names, email addresses, IP addresses and device identifiers.

They also suggest mapping the systems and service providers that organisations use to process personal data, as well as business reasons for personal data processing activities.

“Scoping a task like GDPR compliance is the first step in tackling it,” said Jambekar.

She believes there are five major product requirements that apply when managing conversations and communications between businesses and their customers and employees.

“The first thing is access control – only people and machines who need to use the data should also see it,” she said.

“For example, the part of Twilio that handles billing for a text message doesn’t need to access the body of the message, but just know how to bill it.”

The second step toward compliance is storing and processing data said Jambekar.

“Under GDPR, data must be collected for and limited to certain purposes, such as billing or routing,” she said.

“Auditing and streamlining all data processing systems ensures that personal data serves its original purpose only and that way is providing utility, not creating liability.”

Account and record deletion is also an important step when moving toward compliance.

“Except where laws such as taxation demand otherwise, data must be deleted once the original reason no longer exists,” said Jambekar.

“We advise tracking down data across warehouses, logs and other storages to make sure every identifiable part of the data goes away.”

Security is also a crucial part of any strategy for GDPR compliance said Jambekar.

“GDPR requires data to be properly secured even when moving inside the same system – for example when data is moving between machines or stored on a disk.

“Encrypting data any time it could be read or intercepted by a third is one way to provide security.”

Finally it’s important to audit and log data believes Jambekar.

“Access to your data or the policies on it should be logged,” she said.

“At Twilio we’re tracking personal data as it’s moving, being changed, or being queried, and we’re recording that access.

“This allows us to better tell you what somebody saw if your account ever gets compromised.”

There are, of course, other sections of the GDPR that are relevant, like notification of a breach and appointment of a data protection officer, but these don’t specifically apply to product changes.

Ultimately, GDPR is possibly the most expansive data protection legislation to date believes Jambekar.

It significantly enhances data privacy rights for individuals in the EU, while placing obligations of transparency, accountability and fairness on almost every company in every industry that relies on the use of personal data for conducting business.

“Twilio manages the conversations between businesses and their customers and employees, so we understand just how important data is to businesses,” said Jambekar.

“Still, data privacy is an important human right and, in this data-driven world, data protection is something that all companies should be doing.

“GDPR is an opportunity to build a stronger data protection foundation which will benefit all.”