Benchmark Your Company’s Handling of Personal Data. Click here for your free Privacy Grade. Read more about PrivacyGrader in our recent TechCrunch coverage.


What Constitutes a “Sale” of Privacy Information under CPRA/CCPA?

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, are applicable to any for-profit business in California that meets any one of the following thresholds:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA)
  • Earning more than half of your annual revenue from selling personal information

If your revenue is less than $25 million, your customer base doesn’t exceed the threshold for the number of consumers or households, and you’re not earning revenue by selling personal information, you probably think that your business is exempt. However, under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather is broadly defined. That means you could technically be selling personal information, even if you don’t think you are. It’s therefore important to know what constitutes a “sale.” 

What’s in a Word?

CCPA/CPRA defines a “sale” of privacy information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” 

While this remains a vague aspect of the law, one can conclude based on the definition that even if your business is not directly being paid for consumer personal information (i.e., name, social security number, email or IP address, Internet browsing history, etc.), any such information that you make available by other means could still be considered a sale if you’re receiving “valuable consideration” in return. But what exactly is valuable consideration?

California law defines valuable consideration as any benefit, meaning it can be non-monetary such as assets, inventory, a service, discounts, promotion, or intellectual property. Really any tangible or nontangible business asset can potentially have valuable consideration. This includes targeted advertising based on a consumer’s behavior or preferences acquired via Internet analytics or tracking cookies. But there are exceptions.

Exceptions to Every Rule

First of all, under CCPA/CPRA, “selling” only refers to providing privacy data to third parties, which does not include service providers or contractors that perform a service required for your business to function. For example, if in selling your product or service, you provide personal information to a credit check bureau or fraud detection service to protect your business, this does not constitute a sale. In this scenario, service providers and contactors are also prohibited from “selling” personal information, and it’s up to you to ensure this requirement is covered in any terms and conditions. 

Another exception to disseminating privacy data occurs if your business has previously provided personal information to third-party entities and a customer then chooses to opt out—you’ll need to provide that customer’s identification information (i.e., email, account numbers, etc.) to third parties so they too can comply with the opt-out request. Additionally, if you’re selling assets as part of a business merger or acquisition to a third party that will take over control of the business, the transfer of personal information does not constitute a sale. And of course, if a consumer opts in, disseminating that user’s personal information also does not constitute a sale.

How Can You Be Sure?

At this time, it remains somewhat unclear as to whether all disclosures of personal information to third parties constitutes a “sale” under CCPA/CPRA. As specific legal cases arise and the California Privacy Protection Agency (CPPA) ramps up audits, enforcement, and education, it may become increasingly clear what constitutes a sale, but that doesn’t mean compliance can be put off until tomorrow. Rather than waiting for clarification and risking the penalties of non-compliance, any business handling privacy data would be wise to assess their risk today. And in today’s data-driven economy where information drives business decisions, it’s more than likely that you’re handling personal information.  

With cybersecurity attacks on the rise and users becoming increasingly concerned about how their data is used, you need to be sure that you’re maintaining consumer trust. To that end, it is recommended to engage with CCPA/CPRA legal and data experts to conduct a thorough data mapping that identifies all the ways your business systems acquire and disseminate personal information. These experts can help assess your risk and implement necessary orchestration policies and procedures to prevent any potential non-compliant “sale” of information. Because even if your business is unknowingly selling information per the definition of CCPA/CPRA, you can be held liable. 

CCPA/CPRA privacy data compliance is complicated. But with Ketch, it doesn’t have to be. Learn how we can help your business with data privacy today to reduce your risk tomorrow.

Do You Have a “Legitimate Interest” in the Data You Collect?

Under the GDPR, consent isn’t the only lawful basis for data processing

The European Union’s General Data Protection Regulation (GDPR) says that in order to collect and process personal data, an organization must have a “lawful basis” to do so. There are six specific ways that organizations can achieve that, and most are relatively straightforward: you’re in the clear if a data subject explicitly consents to a given use of their data, for instance, or if there’s an legal requirement for you to collect and process data in a certain way. 

But there’s one lawful basis that’s simultaneously widely used and poorly understood: the “legitimate interest” basis for data usage. According to the GDPR, data processing is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” — unless those legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject.” 

On the one hand, the GDPR clearly suggests that organizations can lawfully use personal data if they really need to. But it also clearly says that the “legitimate interest” basis for data processing can be canceled out by the countervailing interests of the data subject. That’s a tricky needle to thread: how can organizations decide whether their interests are “legitimate,” and how are they supposed to figure out whether their interests are “overridden” by those of the data subject?

The three-part test

The GDPR doesn’t clearly explain what constitutes a “legitimate interest,” so this is something organizations have to figure out for themselves on a case-by-case basis. The GDPR offers some examples of legitimate interests, such as use of client or employee data, fraud prevention, marketing, or identifying security breaches. Still, there are no hard-and-fast rules on which organizations can rely to ensure they’re covered by a “legitimate interest” basis for data processing.

Because of that, it’s helpful to think of the “legitimate interest” basis as a process rather than simply a set of fixed criteria. To meet your obligations, you need to be able to show that you’ve weighed your own “legitimate interest” against the interests of data subjects. The British Information Commissioner’s Office suggests using a three-part test to figure out whether your “legitimate interest” claim holds water:

  1. First, your data processing should have a clear purpose that serves either your organization’s interests or those of a third party. The key here is to be specific: your purpose can’t simply be to process data as an end in its own right, but should be a clear goal that delivers evident benefits to your organization. For instance, a company might have a clear interest in checking that it isn’t being defrauded, or in identifying potential security threats. 
  1. Next, your data processing should be necessary to achieve that goal. That doesn’t mean it’s the only way to achieve a certain goal, but it does mean that your data processing should be targeted and proportionate to your stated ends. If you’re trying to tackle fraud, for instance, you should only be processing data that’s directly related to that goal.  
  1. Finally, your data processing should be balanced against the interests and rights of the data subject. It’s important to show that you’ve carefully considered your data subjects’ rights, and that you’re doing your best to minimize any potential impact on them. This is especially important if you’re handling data pertaining to children, who are singled out for special protection under the GDPR.

Such tests are in some ways more art than science. Still, conducting and documenting a formal evaluative process is vital to show that you’re properly weighing your own legitimate interests against those of your data subjects. 

Expectations and objections

Besides the three-part test, there are two other important factors to consider. 

First, it’s generally acceptable to process data in ways that users should reasonably expect. This doesn’t mean that a specific user has to actually expect their data to be processed in a certain way — just that a reasonable person would likely make that assumption.

This gives organizations some leeway to process data for expected purposes such as fraud prevention or other routine operations. It’s also worth noting that if you communicate your practices to your users, they will be more likely to expect their data to be processed accordingly. A clear, detailed data privacy policy goes a long way toward supporting a “legitimate interest” basis for data processing.

Second, remember that the GDPR gives data subjects the right to object to the use of their data. That’s especially important for data processed under a “legitimate interest” rationale, when there can be grounds for differing opinions about whether data use is justified. 

If a user objects to your use of their data, the onus is on your organization to demonstrate not just that you have a legitimate interest, but a compelling interest to continue processing that data. That’s a high bar to clear, especially since you could face steep fines if you improperly persist in using personal data following an objection. 

Most objections result in organizations either halting data usage or deleting a user’s data. If such objections become widespread, you may need to explore using a different lawful basis to justify your data processing. 

A tech solution

So is a “legitimate interest” basis right for your organization? Well, it’s certainly worth considering if you want to use data in a way that brings a clear benefit to your organization, doesn’t carry significant risk of infringing on data subjects’ privacy rights, and that data subjects should reasonably expect to occur. 

Still, a “legitimate interest” rationale for data processing comes with a unique set of complexities, including documentation requirements and the need to respond quickly and effectively to objections raised by data subjects. 

At Ketch, we specialize in helping organizations to formulate data policies that can be applied instantly across your entire data ecosystem, providing trackable real-time data privacy and compliance capabilities without the need to rewrite code or rebuild your tech stack. If you’re considering using a “legitimate interest” basis for GDPR compliance, get in touch today, and find out how Ketch can take your organization’s data processing to the next level.

The Top 5 GDPR Compliance Mistakes and How to Avoid Them

The European Union’s General Data Protection Regulation (GDPR) is a complex and sweeping data protection law that has left companies all over the world scrambling to rethink their data handling processes.  Unfortunately, ensuring full compliance with the 88-page regulation isn’t easy. In fact, many companies are still making mistakes — and with penalties maxing out at 4% of annual global turnover, in addition to potential damages payable to affected users, slipping up can be costly.

Here are 5 of the biggest errors we see companies making as they figure out how to handle their obligations under the GDPR:

1. Assuming the GDPR doesn’t apply to you

As you’d expect virtually all companies with operations in the European Economic Area are required to comply with the GDPR. But that doesn’t mean you’re off the hook if you’re based elsewhere in the world. Under the terms of the GDPR, companies that collect or process data for the purposes of doing business with European customers must comply with the regulation. An occasional European visitor to your company’s website won’t necessarily trigger the GDPR. But if you’re soliciting business from Europeans, such as by advertising in Europe or including prices in euros, then you’re likely to fall under the regulation. 

2. Misunderstanding the scope of the statute. 

It’s easy to assume that as long as you’re getting users’ consent before you collect their personal data, you’ve insulated yourself against any potential problems. Unfortunately, though, the GDPR is much more far-reaching than that, and collecting consent is only the beginning. The GDPR actually secures 8 key rights for data subjects, including the right to amend or revoke consent; the right to obtain copies of or to amend any collected data; and the right to have their data “forgotten” or completely deleted, or to object to the ways in which it’s being processed. 

For most companies, that can’t be managed simply by asking permission to set various types of cookies to log consent. Instead, you’ll need a systematic approach that lets you track a user’s personal data throughout your system, and ensure it’s never used for purposes to which a user objects. You’ll also need to be able to extract data from your system, explain where and how it is used, or discontinue processing that data on demand. For companies affected by the GDPR, static cookie-based strategies simply aren’t good enough.

3. Counting on partners doing their jobs right.

In the modern world, dataflows don’t end neatly at the boundary of your organization — they spill over to third parties and outside partners. The GDPR makes clear that data controllers aren’t responsible solely for their own handling of a user’s data — they’re also directly liable for any errors or missteps made by other processors, such as downstream partners and vendors, who use the data.

In other words, it’s no longer enough to simply put policies in place to manage your own handling of personal data. You also need to ensure that you’re promptly and reliably communicating with partners about how data can be processed. If your user revokes consent, that signal needs to propagate promptly across your entire data ecosystem, including any third parties who’ve accessed the data, in order to shield you from potential liability for GDPR noncompliance. 

4. Expecting IT pros to be policy experts (and vice versa)

GDPR compliance requires both policy chops (to figure out how personal data should be handled) and IT savvy (to figure out how to implement that across your data ecosystem). Too often policy experts feel obliged to weigh in on IT implementations, or IT teams have to parse the nuances of the statute when writing code. That can lead to mistakes as people step outside their areas of expertise, or slow the pace of innovation as projects are increasingly run by committee and require multiple stages of legal and technical approval.

The key for successful GDPR compliance is to develop an approach that allows legal teams to define acceptable forms of data usage, then rapidly and frictionlessly translate those perspectives into actionable guidance for IT teams. In an ideal world, your legal teams should never need to read a line of code, and your IT specialists should never need to wade into the dense legal language of the GDPR itself.

5. Dealing with the GDPR in isolation

The GDPR has changed the face of global data privacy regulation; increasingly, in the post-Snowden world, regulators are looking to create muscular regulatory frameworks that place significant new burdens on data controllers and processors. But here’s the rub: while many of the frameworks now being implemented share the same goals, they impose unique and varying obligations upon organizations. 

It isn’t enough to simply upgrade your data-handling infrastructure to ensure GDPR compliance. Instead, organizations need to create flexible and responsive systems that can rapidly adapt to new regulations and requirements as they are introduced. From new data laws in California and Brazil to sweeping privacy measures in India and China, organizations need to plan for the future, and put infrastructure in place to help them remain compliant with a fluid and constantly changing global regulatory landscape.

All of these mistakes are easy to make. Fortunately, they’re also easy to avoid. The key is to take the GDPR seriously, and not to try to handle everything internally. Whether it’s mastering the policy nuances or figuring out how to translate them into workable IT and data-handling infrastructure, it pays to partner with a specialist. 

That’s where Ketch comes in. Our founding team’s background in advertising and marketing technologies and data infrastructure gives us a deep understanding of the ways that data flows through modern businesses. We also understand the challenges that companies face as they try to adapt those dataflows to the requirements of the GDPR without disrupting their daily operations. 

Using our technology and our in-house expertise, we can translate your specific requirements and obligations under the GDPR into customized, crystal-clear data-management policies. Crucially, we also automate the process of querying datasets subject to those policies — so your coders and developers can implement call-outs to automatically check whether a specific action is permissible for a specific item of personal data. 

With Ketch, your IT teams don’t have to fret about the nuances of privacy laws, and your legal teams don’t lose sleep over specific implementations. And because permissions are handled centrally, you can be confident that any changes will propagate instantly across your entire data ecosystem, including outside partners, to ensure continuous GDPR compliance. 

That adds up to a frictionless and robust toolkit for companies affected by the GDPR. So stop fretting about making costly mistakes — and get in touch with Ketch to find out how we can streamline your data compliance.

Introducing PrivacyGrader

Today the Ketch team is excited to introduce PrivacyGrader, a tool that helps solve the complex and critical problems of consumer data privacy and security.

It’s no secret that data protection is one of the biggest and hardest challenges we face today.  This year, data breaches continued to be constant headline news.  By one account, the average cost of a breach to a U.S. company is now more than $8.5 million

In addition to the direct costs of data breaches, the ripple effects of decreased consumer confidence in e-commerce and online media could have severe impacts on our economy – especially at a time when online experiences have never been more essential to our lives.  

This is a big, complicated problem that even the biggest companies struggle to manage.  Many small and medium-sized companies don’t even know where to begin.  

That’s where PrivacyGrader comes in.  It’s a starting point for companies to diagnose their data privacy performance, and then to begin the process of improving it.  With simple, practical steps. 

This is the kind of challenge our team loves:  Tackling big problems and coming up with elegant solutions that serve an important purpose.

PrivacyGrader works by analyzing your website’s collection and use of personal data.  It assesses multiple elements of your privacy procedures and doesn’t just help you find the problems – it identifies the steps you need to take to address them. We provide the analysis to any company at no cost.

Trust is vital for all of us as we deepen our commitment to an increasingly connected, digital lifestyle.  At Ketch, we don’t see a zero-sum world where consumer privacy is protected and online businesses lose. We believe that both consumers and businesses can prosper together, and we built PrivacyGrader to help bridge the divide.  We hope you’ll give it a try and let us know what you think.

Switchbit is now Ketch

The Switchbit team is driven by a belief in two key principles. First, privacy is an essential human right that all businesses should have the ability to respect and enforce. Second, data is property. Like land and other physical property, data must be protected and controlled according to the time, terms, and conditions of its owner’s choosing. 

We don’t see a zero-sum world where consumer privacy is protected and businesses lose. We believe that both consumers and businesses can prosper together. We’re determined to help businesses honor the data dignity of their customers, while also giving them the privacy and security tools that let them preserve and unlock the power of data for core operations and AI-enabled business processes.

Since our inception, we’ve been working hard to achieve the radical simplification of data privacy, which we believe is among the most critical imperatives facing our economy and our society. Undeniably, we are in the midst of the Data Rights Revolution.

As tends to be the case with revolutions, optimism and commitment are all mixed up with complexity and confusion. In our experience, most businesses want to embrace and implement a consumer-first privacy paradigm–the question is How to get there? 

We are committed to building powerful-but-simple infrastructure that guides our customers through the maze of laws and regulations, while at the same time recognizing and capitalizing on the opportunities along the way–opportunities hiding in plain sight.

Of course you need to achieve compliance and get the details right. But the companies that win this revolution will be those that go beyond, by creating privacy experiences that inspire customer satisfaction and trust. We help you imagine, design, and offer those experiences.

One of the many hurdles here is that the maze isn’t static. It changes as laws are born and evolve. All the energy you spent getting prepared for CCPA and GDPR? Congratulations! Your prize is…. CPRA and LGPD!. Data privacy is a dynamic challenge. That’s why we’re always focused on giving our customers a dynamic, deploy-once-comply-everywhere solution.

In this relentless pursuit of simplicity in the face of change, we’ll be with you every step of the way. And today, we’re practicing what we preach: We’ve decided our name adds more where less will do, and do better. Today, we’re saying goodbye to “Switchbit” and introducing you to “Ketch.” Strong and simple, just like our product and our mission. 

Ketch is blazing a path in the Data Rights Revolution. Join us in fighting for privacy as an essential human right, and data as property to be preserved and protected.

And if you don’t know, now you know. 

Can Orchestrating Privacy Data Subject Requests be Automated?

The complex, time consuming, and downright annoying process of exporting, erasing, or rectifying personal data to respond to valid data subject requests sanctioned under privacy data regulations like GDPR and CCPA likely has you wondering if there’s a better way. You’re not alone if you’re considering a ticketing-based solution touting the ability to automate this process. But can orchestrating data requests from customers be automated?

Personal data exists in multiple formats across multiple in-house, cloud-based, and third-party systems. It can be an email in one system, a rewards number in another, or a cookie in yet another. Before a data subject request can even be fulfilled, much less automated, you need to find the data. Easier said than done. Consider a request based on email address. If that’s not the system identifier, you need to either gather more information from the now-frustrated customer or delve into the system to try and determine the data format. That’s not always possible with systems that hold only obscure device identifiers or cookies. And by law, you can’t claim you don’t have the data just because you don’t have the identifier. Without this information, compliance is at risk and automation is not possible.

Even when the data is located, fulfilling the request requires knowing all the steps within the workflow of each system. For external systems, this could be sending an email or going through the user interface to generate the request. For internal systems, it means identifying the responsible system owner and operator. This is all compounded by the fact that you still need to determine if the request was even received and fulfilled—for every system.

Since the definition of personal data is broad, and it can reside in several linked systems and subsystems, the question also often remains whether the scope of all the data was even dealt with. You might think a data subject request only requires you to delete the customer table containing names, email addresses and account information. But if that customer’s data exists in other locations and formats like purchasing or browser history, you’re only in compliance if ALL the appropriate data is deleted. That also means you need to know what data is exempt and must be maintained for contractual, legal, or auditing purposes.

Considering the complexity of it all, don’t be fooled by ticketing-based system that have you thinking the actual work of fulfilling data subject requests will be automated. Sure, these systems may automate the creation of a ticket, an email response to the customer acknowledging the request, or the due date required by a specific regulation. They may even help you manage HOW to fulfill requests—that is once you’ve determined and set up all systems, identifiers and workflow requirements. But ticketing-based systems are simply not capable of automating orchestration.

So the question remains—can orchestrating data subject requests even be automated or is that just pie in the sky? That’s where Ketch come in.

Using technology rather than process, Ketch is working to solve the barriers of automation by invoking tools like open-source APIs, syntax command templates, and system integration in conjunction with a central control system that lets you automatically record, track, and respond to data subject requests. When it comes to privacy data compliance, our goal is to make data systems work so you don’t have to.

Complying with data security and privacy regulations like GDPR and CCPA isn’t just about avoiding penalties—it’s also about building trust with your customers. That means fast, effective response to data subject requests from individuals asking to discover, access, rectify, or delete their personal data that your company maintains.

With the data sitting in multiple systems and formats—from names and email addresses, to accounts and cookies—orchestrating data subject requests can be complex and labor-intensive, costing you money and tying up resources to respond by the deadline. Under CCPA, that’s 45 days. GDPR gives you just 30.

Ticketing systems make it easier for customer service and IT help desks to effectively respond to requests through an organized workflow. They’re a great tool for recording, assigning, prioritizing, and tracking support tickets. Many of these systems have now added support for managing GDPR and CCPA data subject requests. With features like tagging to ease searches, canned responses to prevent repetitive work, assignment rules to delegate responsibility, and customized reporting to help with audits, a good ticketing system can certainly make handling data subject requests more efficient. But if you think these systems will do the work for you, think again.

Ticketing systems can automate some of the workflow in responding to data subject requests. Think ticket creation, receipt acknowledgement, assignment, or due date alerts. But the actual work of fulfilling the request still must be done. Automation claims may give you the illusion that it will do it for you, but a ticketing system is never going to find and delete or change all the formats of someone’s personal data across multiple internal, cloud-based, data warehouse, and third-party systems. That’s up to you.

In other words, your ticketing system might tell you what to do, but you’re still stuck orchestrating the request through a combination of manual system hunt and peck, available data privacy APIs, and third- party requests—all of which then needs to be verified to ensure GDPR and CCPA compliance. This is what makes up the bulk of complexity and time within the workflow. But it doesn’t have to.

Ketch doesn’t just manage the workflow of responding to consumer data subject requests by creating and tracking tickets. We actually intelligently automate the fulfillment of those requests by directly integrating with the systems where the data resides. Instead of treating data privacy like help desk and investing in a ticketing system that at most creates a ticket, stop the manual, time-consuming process of closing that ticket with Ketch.

Click here to schedule your demo and learn how Ketch doesn’t just capture and track data subject requests but automatically orchestrates their fulfillment.

After decades of the unrestricted “Wild, Wild West” of the Internet, complying with consumer rights granted by data security and privacy regulations like GDPR and CCPA in the evolving digital landscape has likely become a struggle if your company is built with consumer and customer data. And frankly, there are few, if any businesses, that aren’t.

While complying with these complex provisions has undoubtedly been a bit of a bumpy road for your business, the crux of these regulations is that consumers are empowered to request that you disclose, provide access to, rectify or delete all their personal data. That’s anything from identifiers like names, email addresses, and account numbers, to commercial records like browser history, cookies, and online transactions. And when those data subject requests come in, it’s up to you to fulfill them across any and all systems where personal data resides.

Easier said than done, right?

Orchestrating compliance requests involves a complex workflow of verifying the request, finding the data—whether in-house legacy, cloud-based, data warehouse, or third-party systems—and going through all the steps within each system to fulfill the request. Depending on the size of your business, orchestration encompasses dozens, or even hundreds, of systems that collect and store data in multiple formats across multiple business units.

Think about it. All of advertising and personalization depends on personal data—what you buy, where you live, where you go, and even what you look like. You can be guaranteed that no matter what your business, personal data about your customers resides in far more places than just your CRM. It’s in everything from financial and customer-service systems, to logs, developer data stores, backups, websites, and all over the cloud. To complicate matters, a customer may be John Smith in one system, reward member #45783290 in another, and cookie AqfaAU9kUEpEbAtlD in yet another.

Much like a conductor charged with directing dozens of instruments across various sections all playing a different score, no job in data compliance is more difficult, and more important, than orchestration. But unlike the conductor who knows exactly when and to whom to wave the baton, the time-consuming and daunting task of orchestrating data compliance requests is lumpy and unpredictable; there is no warning and no ability to plan, causing your business to scramble and disrupt daily business operations.

Sure, you have spreadsheets, documented procedures, or even third-party ticketing solutions to help you organize requests and cobble together your workflow for determining all affected systems and those responsible for fulfilling data subject requests within each of those systems. But regardless of how efficient your approach and the fictitious claims of “automation” from third-party privacy and ticketing solutions, the actual process required to manually remove personal data from every system takes time and resources.

Amidst the legal and regulatory risk of compliance and the manual, error-prone process of responding to data subject requests, you are not alone if you’ve found your business needing to hire more staff, tying up your development team, or simply pushing out all the work that you do to grow your business—all of which are bad (and expensive) choices. These are, however, choices you don’t have to make.

We built Ketch to automate the capture and fulfillment of consumer data subject requests. We actually automate workflow—not just the creation of tickets—to give you robust orchestration without having to conduct a complex symphony of systems, ending your compliance headaches and doing away with that $100K data compliance analyst job you posted last week.

Click HERE to schedule your demo and learn how Ketch can help your organization automatically orchestrate data subject requests to cost-effectively and easily comply with privacy regulations.**

Stop Worrying About Regulations

To stay compliant, focus on fixing your data-tech stack

For global businesses, the data-privacy rulebook isn’t getting any shorter. The GDPR and the CCPA are just the tip of the iceberg; over 80 countries have passed or strengthened data privacy laws. Industry-specific regulations such as HIPAA and FERPA further complicate matters, while COVID-19 contact tracing will open a whole new Pandora’s box of regulatory complexities. With China and India also joining the party, the regulatory landscape will only grow more tangled in coming months.

There’s no way to avoid all those rules and regulations. Data, not oil, is the fuel powering our economy, and we’re using more of it than ever. New innovations such as AI and IoT constantly add to the torrents of data inundating businesses: a single smart-car produces 300 terabytes of data a year; by 2025 the world will generate a colossal 175 zettabytes of data a year. Companies can no more opt out of using data than a fish can opt out of the ocean.

But managing all that data while simultaneously complying with a constantly changing and growing body of regulations is a major challenge, one most companies aren’t equipped to handle. Firms typically respond to new regulations by patching their data management tools to ensure data is handled correctly, but taking an iterative, point-solution approach while navigating the expanding global regulatory morass is like playing Whac-A-Mole — except that the field is growing, the moles are proliferating, and you have only a single mallet. No matter how fast you hammer, you’ll never be able to keep up.

That’s the bad news. But there’s good news, too. While the challenges are real, there’s also a real and practical solution that can help businesses to stay compliant amidst a sprawling and ever-changing regulatory landscape. And paradoxically, the best way to stop the bleeding and stabilize the patient is to stop worrying so much about regulations.

Put Data First

Obviously, you can’t ensure compliance without paying attention to regulations. But that doesn’t mean everyone in your organization should be constantly fretting about how regulations affect them.

Under the current paradigm, when new regulation is enacted, businesses have to gather together everyone — business leaders, legal experts, developers, and so forth — to hammer out a fix. That’s fine when you’re dealing with modest amounts of data and a circumscribed body of regulations. But when you’re dealing with rapidly changing data and regulations on a global scale, it simply isn’t sustainable. All too soon, you’re left with a patchwork of point solutions — complex, brittle, failure-prone, and impossibly expensive to maintain.

This Rube Goldberg approach to regulatory compliance also takes up huge amounts of time and energy, driving up costs and distracting your legal, business, and technical teams from more important matters. It also stifles innovation and slows product development as engineers shelve other projects to bolt yet another set of unscalable compliance solutions onto an already struggling tech stack. And it forces legal and business stakeholders to second-guess what’s technologically possible, and engineers to parse the nuances of statutes and regulations as they struggle to ensure their code is compliant.

What’s really needed is a more efficient approach: not an all-hands effort to rebuild your data management system each time a new regulation comes along, but rather a mediating layer between legal and business experts, on the one hand, and developers and engineers on the other.

Instead of treating compliance as a regulatory problem, treat it as a data-processing problem — and build a data-tech stack that’s capable of natively support any new regulations, and applying changes seamlessly across your entire data-set without requiring legal folks to understand code, or developers to understand the fine points of privacy statutes.

A Scalable Solution

That’s where Ketch comes in. Our platform decouples your data handling and compliance processes by establishing a central control system that lets you update data governance protocols without ever touching the code driving your data-handling tools.

By separating these functions, we free legal and business teams to focus on articulating a data governance worldview that’s aligned to the latest regulatory requirements, and to consumer needs and rights, without worrying about execution. On the tech side, developers can integrate data-handling systems with the data governance module once and once only, and never worry about compliance again.

Sound too good to be true? Here’s how it works:

First, using our simple but feature-rich Regulatory Harmonization tools, legal and business folks develop policies setting out what’s allowed and what’s not. Imagine TurboTax, but for privacy regulations instead of the tax code: a simple, slick dashboard that requires no technical expertise, but lets you draw on Ketch’s experience and templates, plus your own industry knowledge, to create a customized rulebook that determines precisely how your company can handle data.

At this point, the legal and business team’s work is done, but Ketch is just getting started. Based on the policies you’ve defined, we automatically generate permits — a kind of smart contract that sets out the precise rights and obligations of every user or piece of data in your system. Enforced through high-end encryption, the permits make it literally impossible for data to be used incorrectly, much as DRM makes it impossible for IP assets to be improperly shared.

Finally, we assign each piece of data a unique identifier, a bit like the barcode that identifies every can on a supermarket shelf. That’s important because it’s the only piece of our system that developers need to worry about: using a simple API, developers can use that identifier to check whether a specific action is permissible for a given piece of data. They never have to interpret the rules themselves — they just ask the question, and get a straightforward answer.

The power of that approach should be obvious. If a new law is passed, or an old one changes, the only people who have to worry about it are your legal and business team. They can implement the new policies, and know that their changes will propagate instantly across the company’s entire data infrastructure. And because compliance is handled centrally, your codebase never changes or needs revising — while the permitted actions for any given user or bit of data might change, the infrastructure itself remains the same.

The result: a top-to-bottom governance system that ensures future-proof compliance without forcing you to rewire your data infrastructure. Policy changes propagate through your system automatically, even extending downstream into middleware, or to partners and consumers who access or use your data. And because you’re no longer working with a patchwork of point solutions and custom fixes, the entire network is more secure, more efficient, and easier to maintain.

Deploy Once, Secure & Comply Everywhere™

For too long, digital enterprises have been running to stand still when it comes to data compliance. It’s time to get off the treadmill, and find a new, genuinely scalable approach that treats data compliance first and foremost as a data-processing problem.

Ketch is that solution. Just as Stripe revolutionized online payments with an API approach, so we’re turning data compliance into a solvable problem. No matter how quickly regulations change or how fast your business grows, you’ll never have to waste time rewiring your data management tools — you’ll just update your data policies, and get back to serving your customers.

Global regulators aren’t about to stop passing privacy laws, but you don’t have to let your company get swept away by the deluge. If you’re ready to stop playing catch-up, get in touch today, and let Ketch change the way you think about compliance.

A Primer on Data Privacy

What is data privacy and why does it matter? How did we get here, what does “here” look like, and what’s ahead?

At a recent Ketch meetup, I presented a primer on data privacy, exploring the past, present, and future of privacy law. Below are my slides, as well as summary takeaways.

Thanks to those of you who attended our virtual event! Join Ketch’s #PrivacyTech group for updates on our upcoming meetups.

Key Takeaways

  • Data Privacy is here to stay
    • Global regulations are increasing in number and severity.
    • Growing demand for privacy experts in tech.
    • Everybody needs to know the basics, and it’s not rocket science (credible online resources are everywhere).
  • Know the privacy lingo
    • GDPR: personal data, legal basis, controller, processor, sub-processor, data subject, DSR, DPIA.
    • CCPA: personal information, consumer, business, service provider, business purpose, sell.
    • Other: HIPAA, COPPA, PII, PHI.
  • Data isn’t dead
    • Data + Privacy is more than the sum of its parts.
    • The laws still allow enough flexibility to use data. Yes, everything is harder now, but it was too easy before.
  • Practice privacy-by-design and privacy-by-default.
  • Be vigilant: there are lots of bad (or ignorant) actors out there.

Respect data, respect privacy!

Meetup Slides

previous arrow
next arrow
previous arrownext arrow