The Ketch Guide to GDPR Compliance

The General Data Protection Regulation, or GDPR, is a European regulation with sweeping consequences for virtually any business that operates in Europe, or serves European users or customers in any capacity. Introduced in 2016, and fully implemented in 2018, the GDPR has become a model for data-privacy laws around the world. But understanding and ensuring compliance with the original GDPR remains a significant challenge for businesses.
‍
We’ll explore the new data privacy obligations that businesses all over the world now face, and explore the steps that are needed to keep your company and your customers safe in the new era of global data-privacy regulation. Wherever your company is on that journey, reading this guide is the first step toward full GDPR compliance.

The GDPR can seem complicated. In practice, though, the 88-page regulation has a straightforward goal: to secure eight key rights for people whose personal data is collected or used by businesses and other organizations:
‍

While the eight key rights are themselves fairly easy to understand, they add a critical new layer of complexity to the operations of virtually any organization that collects or uses personal data. To comply with the GDPR, it isn’t enough to simply request consent before collecting data: you need to treat consent as a living document that can be retracted or amended at any time, and you need to put systems in place to track a user’s data across your entire data ecosystem.

You need to ensure you don’t use data in ways for which users haven’t given ongoing consent, and you need to ensure that any vendors or outside partners that handle your data are also able to rapidly adapt to changes in user consent, and to provide the tracking and reporting that’s required under the GDPR.

The GDPR is a European regulation, and as you’d expect it affects virtually every business that operates in the European Union. But don’t assume you’re safe just because your business is headquartered outside the EU. If you have any business dealings with people who are based in Europe, you could fall under the purview of the GDPR.

Any company with a physical presence in Europe will almost certainly be subject to the GDPR. Even a company that doesn’t collect data about customers will likely collect data about its employees, and thus need to comply with the GDPR.
‍
But the GDPR also applies to companies serving European customers, even if the business itself is based elsewhere. If you ship your products to a customer in Belgium, for instance, you’ll need to handle that customer’s data in GDPR-compliant ways.

And don’t assume that you’re safe just because you aren’t selling into European markets. If your digital services or websites are accessible from Europe, you’re likely collecting data about Europeans who browse your online offerings. That alone is enough to trigger the GDPR, even if you never receive a single euro from those digital visitors.

The bottom line: no matter where you’re based, and no matter the size or nature of your business, if you collect any data pertaining to a person based in the European Union—from a customer’s phone number to a website visitor’s IP address—then you need to pay attention to the GDPR.
‍

The GDPR is designed to get results by hitting noncompliant businesses where it hurts—their bottom line. The maximum penalty for infringements is the greater of €20 million (about $24 million) or 4% of annual global turnover—so for big multinational firms, potential fines can reach eye-watering sums.

In practice, data regulators set fines using criteria that include the seriousness of the regulatory breach, the offending company’s past compliance (or noncompliance) with the GDPR, and efforts taken to cooperate with investigators and mitigate the harm done by any regulatory breach.

It’s important to remember, too, that companies are fully liable not just for their own noncompliance, but also for the noncompliance of any third parties (such as email or cloud-storage providers) that handle their data. The only way to avoid penalties for the actions of third parties is to prove that your company was “not in any way responsible for the event giving rise to the damage”—a very high bar to clear.

And the regulatory fines are just the beginning. Article 82 of the GDPR also allows people whose data is improperly handled to receive compensation for both material and non-material damage they suffer as a result. That means if someone suffers financial losses, or even simply gets stressed out, as a result of your noncompliance, you could find yourself facing additional penalties.
‍

The Penalty Box:
These three firms were hit with the steepest GDPR fines to date

Don’t assume you’re safe just because your company isn’t a household name. While large multinational firms draw the most regulatory attention, even small businesses are now being hit by enforcement actions and landed with fines totaling thousands of dollars.It’s also important to remember that while European regulators might not have direct jurisdiction over companies that don’t have a physical presence in Europe, that doesn’t mean it’s totally toothless.

If you’ve read this far, you know that building a GDPR-compliant business is important, but also far from easy. Here are six key steps every business should take to ensure they don’t fall foul of regulators:

Meeting your company’s obligations under the GDPR can seem daunting, especially if you aren’t a regulatory or policy specialist. But the good news is that when you partner with Ketch, you don’t need a law degree to ensure your company is fully compliant.

Our SaaS approach to compliance lets you set broad policies for how data is handled, then tags every single piece of data you collect—from a user’s name or location, to the specific ways they’ve consented to their data being shared—with permits that determine how that data can be used.

That’s a game-changer, because it enables your developers to simply query whether a given action is permissible for a given piece of data. That fully automated process ensures developers can do their jobs without fretting about regulations. And it enables your policy specialists to easily tweak the way data is used, secure in the knowledge that any changes they make will ripple through your whole data ecosystem, including vendors or third-party companies using your data, to ensure complete compliance without messy under-the-hood changes to your codebase.

In addition, the Ketch platform features:‍

• Data Mapping & Data Discovery Tools
• Consent & Preference Management
• Risk Assessments & Reporting
• Data Subject Rights (DSR) Fulfillment

And much more.
‍
Get in touch today to learn more about how Ketch can help make your company fully GDPR compliant—with built-in futureproofing, and no headaches for either your developers or your policy team.