Amplitude is Ready for the GDPR

Over the past six months, you have likely been hearing a lot about the General Data Protection Regulation (or GDPR) and steps companies are taking to prepare. If you haven’t heard, here’s a very short summary: the GDPR is a new data privacy law coming into force on May 25, 2018 that particularly affects companies with customers in the European Union. (If you are just getting started putting GDPR compliance in place for your organization, the 12-step introduction to GDPR published by Ireland’s Data Protection Commissioner’s is a good place to start.)

Today, we are happy to share that Amplitude’s product analytics services are GDPR ready. Our efforts fall into two key areas:

• Product updates to support the GDPR rights requests
• Privacy-by-design system with contractual agreements

Product Updates

We’ve made the following updates to our product to comply with the new requirements put in place by the GDPR.

• Single & bulk user data deletion – Using Amplitude’s User Privacy API, customers can choose to issue a delete request for a single user or for a list of users with their identifiers. This will delete that users’ data entirely from Amplitude’s platform.
• Upstream deletion support – Amplitude works closely with data platforms like Segment and mParticle, alongwith the openGDPR community to ensure that deletion requests coming from these integrations are also supported in a similar manner.
• Opt out method – Amplitude offers an opt-out method in its SDKs that will either avoid or stop event logging for specific users identified by our customers
• Email Monitoring – Any deletion request goes through 3 distinct phases – creation, progress and completion. Customers will be able to monitor the status of requests with email reports.
• Privacy Audit log – Amplitude now offers programmatic audit logs that will list user data deletion requests and their status on demand to customers.

To learn more about our user privacy features, please contact your success manager or write to privacy@amplitude.com.

Amplitude Privacy-by-Design Program

As a business, Amplitude is a data processor. We have implemented appropriate technical and organisational measures to show we continually consider and integrate data protection into our design, development, operations, and leadership.

In 2010, the International Data Protection and Privacy Commissioners recognized the Privacy-by-Design methodology as an essential component of fundamental privacy protection by , and most recently incorporated into the GDPR.

The methodology has seven foundational principles that in short, require pursuing a predictive and preventative approach to data risks by making privacy considerations an embedded part of the full life-cycle of the data. Furthermore, Privacy-by-Design helps companies deal with personal data in a respectful and transparent manner that ensures win-win scenarios for both companies and data subjects.

For Amplitude this means that our entire company works in collaboration with our Privacy and Information Security team to review decisions that may affect customer data. It means we must ensure that data is handled securely, in compliance with appropriate regulatory requirements, documented, and processed according to the instructions of the data controller (our customers).

Our compliance-by-default approach means that we treat all data ingested by our platform equally and with the appropriate level of care, providing transparency to our customers.

Contractual Data Processing Agreements (DPAs) for customers

We have updated our Data Processing Agreements (DPAs) to create a standard DPA that addresses all of the GDPR requirements. New obligations not included in EU’s Standard Contractual Clauses (SCCs) and now addressed in the Amplitude DPA include:

• Assisting Data controllers – Processors are obliged to assist the data controller in responding to data subject’s requests
• Duration of processing – Description of processing must also contain the duration
• Onward transfer of the data – Data processor must inform and ask for permission from the data controller for transfer of data outside EEA
• Confidentiality provision – Data processor must ensure that personnel authorised to process the data have committed themselves to confidentiality
• Data Breach notification – Data processor must share information to all customers without undue delay after becoming aware of a breach
• Supporting Audits – Data processor must contribute to necessary audits, and inspections, conducted by the controller or a providing a qualified third party inspection
• Data protection impact assessment (DPIA) – Support assessments conducted by the data controller

In addition, Amplitude is certified under the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which was established to provide a mechanism for US and European companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

Over the next few weeks, we will also be sharing some best practices around ensuring data privacy with your product analytics. Stay tuned!

Photo by Jon Moore on Unsplash