What’s the GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018.

The full text of the GDPR can be found here.

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

How is Drift preparing for the GDPR?

We’ve updated our product:

  1. You can now choose to capture consent from all customers, only EU customers, or none at all.
  2. You can request and delete personal data

You can check out all the details here.

We’ve updated our Data Processing Agreements

Strong data protection commitments are a key part of GDPR’s requirements. Our updated data processing agreement shares our privacy commitments and sets out the terms for Drift and our customers to meet GDPR requirements. This is available for customers to sign upon request.

We’ve updated our Privacy Policy

Our Privacy Policy has been updated to be GDPR compliant. We will make the new policy available on the website no later than May 25th.

We’re certified for International Data Transfers

The EU-US Privacy Shield is a framework negotiated and agreed by the European Commission and U.S. Department of Commerce as a lawful way of transferring personal data.

To comply with EU data protection laws around international data transfer, we self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield framework.

We’ve coordinated with our vendors

We’ve reviewed our vendors, finding out about their GDPR plans and arranging GDPR-ready data processing agreements with them. We have data processing agreements in place with all subprocessors that will be handling your customers’ personal data.

We’ve taken new security measures

Security is a priority for us and we have a dedicated security team. We have appointed a Data Protection Officer, whose job is to ensure that your and your customers’ personal data is kept safe. We have regular external vulnerability scans and penetration tests. We are Privacy Shield certified and our SOC 2 Type 2 is in progress.

We’ll keep sharing information on our progress, and we’ll also help our customers and prospective customers be compliant. Some steps you can take are:

  • Get familiar with the GDPR requirements and how they affect your company.
  • Review how you process and store data.
  • Consider how you can leverage Drift to help with your GDPR compliance. Our penetration tests and security docs are available upon request.
  • Chat to your lawyer about what your company needs to do


Feel free to reach out to us if you have any questions about the GDPR – we’d be happy to chat about it.