Amplitude’s Commitment to Privacy and the GDPR

The General Data Protection Regulation (GDPR), due to become effective on May 25 this year, is an extremely important legislation which will unify and strengthen the protection of personal data for people residing within the member states of the European Union.

The GDPR aims to provide better protection and control for individuals in the EU over their data, harmonize these protections throughout the EU, and facilitate the free flow of personal data within the EU and the transfer to third countries and international organizations while ensuring a high level of protection of personal data.

Amplitude’s Commitment to Privacy

Since our early days, Amplitude has been paying close attention to data privacy regulatory shifts to better protect individuals in the EU and around the world, and views the security and privacy of an individual’s personal data as a fundamental human right.

Amplitude’s platform was always designed to help companies build better products while not requiring companies to provide their user’s personal information (PII) in order to perform these analytics. We’ve also been early adopters of a security-by-design approach for our product development, and in 2017 certified with the EU-U.S. Privacy Shield Framework.

Amplitude’s Approach to GDPR Compliance

As Amplitude moves into 2018, we are already well prepared for GDPR compliance as a data processor and is ready to launch improved tools for individual user data portability and deletion. Further, Amplitude is also thinking creatively about features and functionalities that might help you, our customers, achieve your own information security and privacy goals. We are looking at every aspect of the platform to see where such improvements can provide a higher degree of controls, and always, further increasing the security of your data.

Amplitude stands behind our privacy program contractually as well, our Data Processing Agreement addresses the updated data protection requirements under the GDPR.

Next Steps

Amplitude’s team of privacy and information security professionals have been working closely with a wide sample of customers in different verticals to better understand the marketplace needs, and help address specific questions or concerns. We welcome the opportunity for these conversations as we all work together to address the GDPR requirements.

If you have any questions, please don’t hesitate to reach out to your Amplitude point of contact, or email us at privacy@amplitude.com.

What is the GDPR? How does the GDPR compare to the EU Data Protection Directive?

If you’re looking for more details, continue reading…

The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the the 1995 Data Protection Directive. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

It gives data subjects more rights and control over their data by regulating how companies handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing regulatory enforcement and imposing greater fines should a company fail to comply with the GDPR.

In summary, here are some of the key changes to come into effect with the upcoming GDPR:

• Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
• Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
• Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
• New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
• Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.

Barak Engel, Amplitude’s Chief Information Security Officer contributed to this post.