🆕 Ketch launches Third Party Risk Intelligence! Learn More

The Ketch Guide to GDPR Compliance

How the world’s most sweeping privacy rulebook impacts your business

The European Union’s General Data Protection Regulation (GDPR) is the world’s most sweeping data privacy rulebook, affecting millions of businesses worldwide—including many with no physical presence in Europe. In this guide, you’ll learn whether the GDPR affects your business, and how your team can take the necessary steps to comply with Europe’s data security requirements.

‍You’ll learn:

  • The scope and significance of the GDPR
  • What kinds of companies are affected
  • What’s expected of your organization
  • The cost of botching your GDPR obligations
  • Practical steps to make your company GDPR compliant

Ketch specializes in giving organizations the tools needed to solve data security challenges in today’s increasingly complex global regulatory landscape. We’ll give you a crash-course in GDPR compliance—and explain how to take the sting out of Europe’s flagship data privacy regulation.
Introduction
‍Getting to Grips With the GDPR

What does the EU’s flagship privacy regulation mean for your business?

The General Data Protection Regulation, or GDPR, is a European regulation with sweeping consequences for virtually any business that operates in Europe, or serves European users or customers in any capacity. Introduced in 2016, and fully implemented in 2018, the GDPR has become a model for data-privacy laws around the world. But understanding and ensuring compliance with the original GDPR remains a significant challenge for businesses.
‍
We’ll explore the new data privacy obligations that businesses all over the world now face, and explore the steps that are needed to keep your company and your customers safe in the new era of global data-privacy regulation. Wherever your company is on that journey, reading this guide is the first step toward full GDPR compliance.

Section 1:
What is the GDPR Anyway?

There’s more to this regulation than meets the eye.

The GDPR can seem complicated. In practice, though, the 88-page regulation has a straightforward goal: to secure eight key rights for people whose personal data is collected or used by businesses and other organizations:
‍

The Right To...

Which Means...

So Businesses Need To...

Be Informed

Data subjects have the right to know in advance how their data will be collected, used, and stored.

Create clear privacy policies, and provide explicit notification before collecting or using data.

Access

Data subjects have the right to know after the fact how their data has been collected, used, and used.

Track the way data is used and processed across their entire ecosystem, including by third-party partners.

Correction

Data subjects have the right to correct inaccurate data that has been collected about them.

Develop systems for vetting requests, entering corrections, and rapidly propagating changes across their entire ecosystem.

Be Forgotten

Data subjects have the right to demand the deletion of all data collected about them.

Develop systems for verifiably deleting all data without disrupting existing databases and processing systems.

Restriction

Data subjects have the right to prevent collected data from being used or processed.

Treat consent metadata as a living document that’s subject to change; halt data processing on request without deleting the data.

Portability

Data subjects have the right to have their data transferred freely to other data controllers.

Put systems in place to verify requests, extract all data pertaining to a given user, and securely transmit it to third parties.

Objection

Data subjects have the right to object to data being used without their consent.

Ensure data subjects have the ability to withdraw consent, and that new consent data rapidly propagates through the entire data ecosystem.

Opt out of automated decisions

Data subjects have the right to insist that important decisions are made by humans, not algorithms.

Provide clear notification of automated decision- making, and put systems in place to allow human agents to take over automated processes on request.


While the eight key rights are themselves fairly easy to understand, they add a critical new layer of complexity to the operations of virtually any organization that collects or uses personal data. To comply with the GDPR, it isn’t enough to simply request consent before collecting data: you need to treat consent as a living document that can be retracted or amended at any time, and you need to put systems in place to track a user’s data across your entire data ecosystem.

You need to ensure you don’t use data in ways for which users haven’t given ongoing consent, and you need to ensure that any vendors or outside partners that handle your data are also able to rapidly adapt to changes in user consent, and to provide the tracking and reporting that’s required under the GDPR.

Section 2:
‍Does the GDPR Apply to You?

Don’t assume you’re safe just because you’re based outside the EU

The GDPR is a European regulation, and as you’d expect it affects virtually every business that operates in the European Union. But don’t assume you’re safe just because your business is headquartered outside the EU. If you have any business dealings with people who are based in Europe, you could fall under the purview of the GDPR.

Any company with a physical presence in Europe will almost certainly be subject to the GDPR. Even a company that doesn’t collect data about customers will likely collect data about its employees, and thus need to comply with the GDPR.
‍
But the GDPR also applies to companies serving European customers, even if the business itself is based elsewhere. If you ship your products to a customer in Belgium, for instance, you’ll need to handle that customer’s data in GDPR-compliant ways.

And don’t assume that you’re safe just because you aren’t selling into European markets. If your digital services or websites are accessible from Europe, you’re likely collecting data about Europeans who browse your online offerings. That alone is enough to trigger the GDPR, even if you never receive a single euro from those digital visitors.

The bottom line: no matter where you’re based, and no matter the size or nature of your business, if you collect any data pertaining to a person based in the European Union—from a customer’s phone number to a website visitor’s IP address—then you need to pay attention to the GDPR.
‍

$312M
Fines levied under GDPRas of Nov 2020
419
Companies fined under GDPR as of Nov 2020
Section 3:
The Price of Non-Compliance

For noncompliant businesses, the GDPR has a sting in its tail.

The GDPR is designed to get results by hitting noncompliant businesses where it hurts—their bottom line. The maximum penalty for infringements is the greater of €20 million (about $24 million) or 4% of annual global turnover—so for big multinational firms, potential fines can reach eye-watering sums.

In practice, data regulators set fines using criteria that include the seriousness of the regulatory breach, the offending company’s past compliance (or noncompliance) with the GDPR, and efforts taken to cooperate with investigators and mitigate the harm done by any regulatory breach.

It’s important to remember, too, that companies are fully liable not just for their own noncompliance, but also for the noncompliance of any third parties (such as email or cloud-storage providers) that handle their data. The only way to avoid penalties for the actions of third parties is to prove that your company was “not in any way responsible for the event giving rise to the damage”—a very high bar to clear.

And the regulatory fines are just the beginning. Article 82 of the GDPR also allows people whose data is improperly handled to receive compensation for both material and non-material damage they suffer as a result. That means if someone suffers financial losses, or even simply gets stressed out, as a result of your noncompliance, you could find yourself facing additional penalties.
‍

The Penalty Box:
These three firms were hit with the steepest GDPR fines to date

€204.6m
British Airways
€110.3m
Marriot International
€50m
Google
‍Are you safe from Europe’s GDPR enforcer?

Don’t assume you’re safe just because your company isn’t a household name. While large multinational firms draw the most regulatory attention, even small businesses are now being hit by enforcement actions and landed with fines totaling thousands of dollars.It’s also important to remember that while European regulators might not have direct jurisdiction over companies that don’t have a physical presence in Europe, that doesn’t mean it’s totally toothless.

Section 4:
How to Ensure You’re GDPR Compliant

A guide to GDPR-proofing your business

If you’ve read this far, you know that building a GDPR-compliant business is important, but also far from easy. Here are six key steps every business should take to ensure they don’t fall foul of regulators:

01
Focus on consent.
Active and ongoing consent is the key to data protection compliance for most data driven advertising organizations, due to interplay between GDPR and the ePrivacy Directive. You need clear, contextualized consent mechanisms that allow users to understand and control exactly what data is collected and how it’s controlled.
02
Label your data
The only way to manage consent across a full data ecosystem is to individually label every single bit of data you collect, effectively creating a layer of metadata that articulates how any given fact or unit of information can be used.
03
Stay flexible
Your data labels can’t be written in permanent ink. Instead, they need to reflect ongoing consent, and be nimble and flexible enough to allow users to change their minds and revoke or modify consent at any moment.
04
Tell your partners
Data labels can’t be anchored in your own internal data-handling processes; instead, they need to be incorporated into the data itself. That’s vital because it’s the only way to ensure that changes made by your users will propagate out to your outside partners, and define their data-handling processes too.
05
Document everything
The GDPR requires not just compliance, but verifiable compliance. Keeping clear records about how you’re handling data is vital when it comes to communicating with users and regulators. It will also make it far easier to get penalties reduced or waived if you or your partners slip up.
06
Stay up to date
Rules change, and new privacy rules are being written all the time. By encoding compliance metadata directly into your data, you can ensure that your datasets can quickly be brought into compliance not just with the GDPR as it’s currently written, but with any new European iterations or copycat statutes introduced by other jurisdictions.
Conclusion:
Ketch is Here to Help

Meeting your company’s obligations under the GDPR can seem daunting, especially if you aren’t a regulatory or policy specialist. But the good news is that when you partner with Ketch, you don’t need a law degree to ensure your company is fully compliant.

Our SaaS approach to compliance lets you set broad policies for how data is handled, then tags every single piece of data you collect—from a user’s name or location, to the specific ways they’ve consented to their data being shared—with permits that determine how that data can be used.

That’s a game-changer, because it enables your developers to simply query whether a given action is permissible for a given piece of data. That fully automated process ensures developers can do their jobs without fretting about regulations. And it enables your policy specialists to easily tweak the way data is used, secure in the knowledge that any changes they make will ripple through your whole data ecosystem, including vendors or third-party companies using your data, to ensure complete compliance without messy under-the-hood changes to your codebase.

In addition, the Ketch platform features:‍

And much more.
‍
Get in touch today to learn more about how Ketch can help make your company fully GDPR compliant—with built-in futureproofing, and no headaches for either your developers or your policy team.

How to hit a moving target
‍
The GDPR has inspired a flurry of new privacy regulations in jurisdictions all over the world, so increasingly companies need to stay compliant not just with the original GDPR but with copycat legislation in places like India, Brazil, and Japan. With Ketch, you can ensure you’re compliant with the entire global regulatory landscape—without rewriting your codebase every time a new statute is enacted.