Category Blog

Data Privacy is Evolving. Are You Getting Left Behind?

Organizations shouldn’t settle for outdated data privacy solutions 

Data privacy is a big deal for modern enterprises, with 44% of CEOs now saying that data privacy policies are among their businesses’ top concerns. In the post-GDPR world, the regulatory landscape is growing increasingly far-reaching and complex: by 2023, it’s expected that 65% of the world’s population will be covered by modern privacy regulations, up from just 10% in 2020. 

Complying with all those rules isn’t cheap. By 2018, Fortune Global 500 companies had spent $7.8 billion preparing for GDPR. Three years later, the average cost of data privacy compliance for multinational corporations is still over $3.5 million per year. But despite these investments, people don’t feel more secure. In fact, almost half of Americans believe their data is less secure than it was five years ago, and 45% say they’ve been personally impacted by data breaches. 

What does this all mean for your business? Well, with regulators and consumers paying close attention, it means you need to put a tough, effective data-privacy solution in place. But the industry is constantly evolving, so the data-privacy tools that suited your business a year or two ago may not be the best solutions for the new regulatory and technological challenges you’re now facing. To keep your business and your customers safe, it’s essential to keep on evolving, and to ensure you’re using up-to-date tools that are optimized for your organization’s current needs. 

Has your tech stack gone stale?

Your data privacy solutions shouldn’t require constant attention and oversight — that’s why they’re called “solutions,” after all. But that doesn’t mean you can have a hands off approach to your data-privacy tech stack. No matter how good your privacy solution was when it was first implemented, time marches on. 

First-generation data privacy solutions took a formulaic, responsive approach: checklists, reflexive efforts to patch privacy gaps or compliance risks, and cookie-based quick fixes and were the order of the day. That was a necessary first step toward ensuring data privacy. But in today’s more complex and interconnected world, such tools can’t deliver the robust, flexible solutions needed to orchestrate rich, ever-changing consent signals seamlessly across organizations’ entire data ecosystems. 

Enterprises now operate across multiple jurisdictions, and need to manage consumers’ privacy across multiple domains, devices, and touchpoints. Customers’ privacy expectations must be honored across your organization, and also in downstream partners’ data systems — even if those systems weren’t built with privacy in mind. The data privacy challenges organizations now face have evolved significantly, and new solutions are needed to meet those challenges. 

Even if you’ve already built out your data privacy infrastructure, in other words, it’s worth taking some time to diagnose the gaps or shortcomings that may have emerged over time, and to ask whether newer technologies would be better suited to your needs. Now more than ever, the way you handle privacy speaks volumes about your brand, so it’s important to ensure you’re leveraging the latest innovations to deliver the best-in-class data privacy experience that consumers expect. 

It’s time for a checkup

How can you ensure you’re using the right privacy platform for your needs? It’s as simple as conducting a brief review process to clarify your current priorities, assess whether they’re still being met by your existing provider, and figure out whether other solutions would do a better job of meeting your needs. 

Think of it as the equivalent of going for a physical: set aside a bit of time each year for a tech review, and you can ensure your privacy infrastructure remains healthy, up to date, and able to withstand whatever challenges emerge over the following 12 months. 

What should you cover during this checkup? Well, the aim isn’t to run complicated pilot studies or to reinvent the wheel by rebuilding your data infrastructure from the ground up. Instead, you should simply aside some time to take the pulse of your existing solution, explore what else is out there, and make sure you’re using the best available tools for your specific use-case.

It’s worth asking, for instance, whether your existing solution can handle the full range of rules and regulations that affect your business — and those that could affect your business as it grows or enters new market sectors or jurisdictions. It’s also worth asking whether the tools you’re using are doing enough to ensure seamless, fully automated, and verifiable orchestration of data subject requests or consent signals across your entire ecosystem, including outside partners. And it’s always worth paying attention to the user experience: are you able to customize privacy messaging, styling, and timing to ensure your end-users have a pleasant and on-brand experience when using your site or service? 

These are just some starting points — check out the Ketch buyer’s guide for a full breakdown of the issues you should aim to address while reviewing your data privacy infrastructure. Bear in mind, too, that the best time to embark on this process is before you renew your vendor contract for another year. You wouldn’t sign a new contract without doing due diligence, and neither should you renew with an existing vendor without making sure it’s truly the right move for your business. 

Give Ketch a call

At Ketch, we know that in today’s increasingly complex and demanding world, enterprises can’t afford to compromise when it comes to managing data privacy. We’re also confident that our data privacy technologies are the best solution for virtually any use-case, and that our best-of-breed technology can measure up to anything else on the market. 

We think you’ll feel the same. That’s why we encourage you to consider your evolving needs, take a long, hard look at our competitors—and then reach out to Ketch. When you’re ready, our team will be standing by to help you analyze your needs, identify the data-privacy approach that’s right for you, and implement a resilient, best-in-class solution optimized for the unique needs of your organization.

What Kind of Data Privacy Solution is Right for You?

Finding the right privacy tech starts with asking the right questions.

To keep your organization’s data privacy solutions up to date in a rapidly changing world, it’s important to set aside time for regular reevaluations of your existing tech stack. No matter what industry you serve, regulations and technologies are always changing, so best practice is to schedule an annual checkup to ensure your current set-up is still delivering the optimal solution for your needs.

As part of that process, you’ll need to evaluate your existing data-privacy tools, and look at other offerings to make sure you’re using the solution that’s best for your business. First, though, you’ll need to take a look in the mirror — because you can’t figure out what’s right for your organization unless you know exactly how your organization currently handles data.

Effectively, this boils down to making sure you understand exactly what kinds of problems your data-privacy solution needs to be able to solve. That means looking at three key areas: your current data usage, the current and forthcoming regulations that affect your business, and the different stakeholders within your organization who will need to use your data privacy solutions.  

Understanding your data use

To get to grips with the way your organization currently uses data, you’ll need to understand the purposes for which your organization collects and processes data. Is your end-goal to create better analytics, to provide personalization, or something else entirely — and how is that intent reflected in the data-privacy infrastructure you’ve built?

Once you understand the end-goal of your organization’s data usage, you can start to explore the way that data flows through your organization, and the way that consent signals and data subject requests ripple through your ecosystem. Start by asking the simplest questions: how many people visit your website, what devices are they using, and where are they located? From there, you can move on to examine the way that your organization collects and processes consent signals and data subject requests, and inventory the systems you’re using to honor users’ preferences, permissions, and requests. 

You’ll need to look carefully at the internal systems your organization uses to manage data — but since data often flows beyond outward, beyond the borders of your organization, you’ll also need to look at your partners’ data processes. How are the consent and data requests you receive being propagated out to the partners who handle your data, and how are you verifying their compliance?

As you examine these factors, think about whether your existing infrastructure is aligned to your current needs. If your answers to the questions you’re asking have changed since you first built out your data-privacy infrastructure, you’ll need to carefully consider whether your existing tools are still meeting your needs as well as they should.

Understanding the rulebook

Once you’ve taken the pulse of your privacy operations, it’s time to look at the regulations to which you’re subject. The specific toolkit you need will vary depending on whether you’re trying to ensure compliance with the GDPR, the CCPA, or something else entirely. 

Make sure you pay attention to pending regulatory action, too, and also to your own strategic plans — if you’re preparing to move into a new market, you might find yourself subject to new rules. Your legal team should be able to tell you whether the rules have changed since your data privacy tools were first implemented, and whether any further changes are in the pipeline. Since many regulations are still evolving, your team’s interpretations of the rules may also have changed over time as new rulings are issued or new best practices are established. 

Given the rapid pace of regulatory change, most organizations find they’re better served by a dynamic and adaptable data-privacy solution, rather than a series of static point solutions for a specific body of regulations. Make sure you ask how flexible and futureproof your current system is, and whether it will be able to evolve and grow along with your business needs.

Understanding your internal teams

While the process of buying data-privacy systems is often driven by a single business unit, it’s important to bring all your organization’s different stakeholders into the review process. After all, if you ask an IT manager or your head of engineering what they want from a data privacy system, you’ll likely get a very different answer than if you ask your CISO, your legal team, or your sales and marketing division. 

Privacy is a team sport, and your goal should be to find a data-privacy solution that can address all the different interests and needs of teams across your organization. That’s especially important when it comes to balancing the priorities of teams that might seem to have conflicting needs or goals. Your solution shouldn’t empower your IT team at the expense of your legal team, for instance — it should give both teams the tools they need to work, both collaboratively and independently, toward their goals. 

The key is to understand each team’s needs and challenges, and to seek out a data privacy solution that gives every member of every team exactly what they need to do their job. Your solution should help to elegantly defuse tensions between business units, not exacerbate them or create new points of conflict.

Putting it all together

After going through this three-part diagnostic process, you’ll be left with a clear understanding of how your organization handles data, what rules it’s subject to, and which business units have a stake in the way data privacy is handled. Collectively, these represent your data privacy needs — and armed with these insights, you’re ready to go out into the data security marketplace and see which solutions can deliver the performance you require. 

We’ll cover that in our next blog post, but if you want to get the ball rolling right away, feel free to reach out. At Ketch, we believe that our job is to satisfy as many all three of these needs simultaneously — and we’re confident we can outperform any other data privacy tool currently on the market. Get in touch today to find out why, and to learn how our solution can deliver the performance your organization needs.

Treat People as People with Privacy-centric Identity Resolution

Privacy regulations address ‘Natural Persons’ but online, we’re a collection of fragmented digital identifiers

Businesses must be empowered to overcome the identity problem, that is, to see people for who they are, recognize them when their privacy wishes need to be honored, and do so across every touchpoint and system.

The challenge is that for most people, their online activity is fragmented across a number of digital identifiers, such as email addresses, mobile advertising IDs and browser IDs. 

Privacy regulations address personal data across digital and ‘pseudonymous’ identifiers, but the legal rights belong to citizens, individuals and ‘natural persons’. 

For example, GDPR applies to data on a ‘natural person’, but online, that data is associated with digital IDs – a natural person has the legal rights, but it could be a cookie or other digital ID with the personal data. It greatly benefits businesses to understand the connection between real people, and digital IDs, to know when they are dealing with Jane, and when they are not.  

Harmonizing all the online activity to a ‘natural person’ requires a privacy-positive approach to identity resolution. 

It’s about treating people as people

When Jane expresses a preference in an email form, a mobile app, a website, or a phone, those expressions must be reflected against the person, not an isolated digital identifier. To solve for this, consent provided by Jane on your mobile website or app, could be associated with the responsibly gathered IDs and devices connected to her, ensuring an efficient and optimized privacy experience.

Privacy-first identity resolution is an alternative to the God’s-eye view that utilizes third-party identity assets to reconcile every user -- which, of course, would be terrifying for privacy -- the objective must be to make it as easy as possible for people to express their privacy priorities and then leverage all the identity assets a company has responsibly gathered, without unduly burdening people with too many requests and extra hops and go-do’s.

Responsive Infrastructure for a Flickering Policy Regime

By 2023, 75% of the world will be subject to modern privacy regulations, according to Gartner. 

The United States is in the eye of the storm, where jurisdictional complexity in data privacy is rapidly reaching Category 5 intensity. In California there’s the CCPA and now the more draconian CPRA. Virginia has enacted a new data privacy law, which, of course, is not the same as California’s. To underscore the mounting complexity, New York is contemplating a law that has elements of affirmative/opt-”in” consent -- something present in neither Virginia nor California law

In addition to new sets of regulations, existing regulations are in flux. California’s move from CCPA to CPRA is instructive: CCPA was on the books for less than two years before its successor, CPRA, was enacted, and there: 

“the prospect of further rulemaking will make it hard for companies to take significant steps toward compliance, as the CCPA rulemaking experience has demonstrated the potential for rulemaking to create significant changes”.

Just as we have failed to develop coherent, unified regulations regarding climate change, migration, trade, and many other dynamic, cross-border phenomena, it is unlikely privacy regulations will congeal into a unified, global standard. 

As regulations and their interpretation evolve, keeping up with a flickering regulatory climate shouldn’t require expensive feats of engineering in support of ad-hoc compliance programs.

Playing whac-a-mole is not a viable or durable strategy for data privacy.

Compliance tools must provide the flexibility to respond to new and changing regulations, with the granularity to build tailored privacy programs across multiple regions, and the connectivity to data systems that ensures policy stances are realized and enacted, rather than lying inert in a document or privacy policy somewhere. 

At Ketch, a mastery of data control solves for jurisdictional complexity, and future proofs your business against the impending storm. Our Deploy-Once, Comply-Everywhere Policy Center leverages the building blocks of modern privacy, applied to granular data sets to provide the flexibility and adaptability to respond to new and shifting global regulations:

  • Individuals about whom you hold data -- who is it about
  • Categories or attributes of the data -- what is it
  • Uses, or purposes of data processing -- how can you use it
  • Legal basis for processing, by jurisdiction -- why you can use it based on where the individual is located

The leaders in the data privacy revolution are recognizing the rising urgency of data privacy and are re-tooling to meet it. They are adopting responsive and responsible infrastructure that future-proofs businesses against the constant flickering in privacy codes, regulations, and norms. 

Systemic Embrace: The Coexistence of Data Dignity, Compliance and Growth

In the often dizzying and confusing arena of data privacy, a new normal is rapidly unfolding, a paradigm that elevates data rights and data dignity. Characterized by a wave of new regulations and competing imperatives, the complexity of this new paradigm can overwhelm and paralyze business leaders searching for the ideal and responsible path forward. 


Many believe they face an impossible Sophie’s Choice: Dismiss privacy requirements and use personal data to grow -- or comply and stagnate. 

They are wrong.

There are leaders who understand the opportunity inherent in respecting data privacy and data dignity and they grasp that it’s possible to build value while honoring values.

Steve Jobs was leading the way in 2010:

“I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you're going to do with their data.”

Effective solutions that respect and protect data privacy build trust with consumers. It veins with responsible stewardship of data and abides by Steve Jobs’ admonition to ask customers about data uses and to keep asking about their needs, wants, and priorities.

Most of all, it puts customer prescriptions and desires around the allowable use of data into action. Doing so builds trust, and building trust fuels privacy-compliant data stores -- the precondition for successful operations and AI.

Leaders like Microsoft CEO, Satya Nadella, are doubling down on the idea of data dignity as an extension to data privacy.

At the 2020 World Economic Forum, Nadella declared that data privacy at an individual level needs to be thought of as a human right and called for further work on the concept of “data dignity”:

“It’s not just ‘privacy’ and ‘oh, I give away my data’. I should be able to control in a much more fine-grained way how my data is being used to create utility for me and the world and the causes I care about”

When it comes to managing the interplay between the promise of data and the imperative for privacy, companies fall into four basic states: resigned surrender, wishful denial, ruinous inertia, or systemic embrace. 

Ruinous inertia: These companies don’t pursue data-driven initiatives or invest in their enabling tools and processes, yet also fail to comply with basic privacy regulations governing their interactions with employees, partners, and consumers.

Resigned surrender: These companies have resolved that the risks of non-compliance are existential and therefore too perilous to ignore, and on that basis have opted to suppress their collection and usage of data across multiple channels and platforms (particularly digital marketing initiatives that depend on consumer data). 

Wishful denial: These are companies who take liberties with data and blast full steam ahead with the quiet recognition that they’re non-compliant with regulations they know pertain to them. They are either in denial about the risks, or in denial that their non-compliance could ever be discovered or significantly damage their business. 

Systemic embrace: These companies recognize the risks of non-compliance, the opportunities that come from cultivating privacy and greater trust with stakeholders, and the strategic imperative to participate fully in the data AI revolution. They reject Sophie’s Choice and are committed to the systemic pursuit of compliance and growth.   

Systemic Embrace is the path to peaceful -- and profitable -- coexistence of data dignity, compliance and growth. It recognizes the rising urgency of data privacy and the enduring premise of data-driven growth.

To learn more about how businesses are responding to the complexity of privacy- check out the Ketch Privacy Primer Part 2 here.

Meet Ketch: Deploy-Once, Comply-Everywhere Data Privacy For the Enterprise Has Finally Arrived

If you’re past a certain age, you can remember back to the dawn of digital advertising. It was chaotic and inefficient: each banner ad was crafted like a piece of artisanal chocolate and hard-wired onto each web page manually by an HTML coder. It took years to evolve into the fully automated ad-serving platforms we all take for granted today, where anyone with a website who wants to participate in the ad-driven economy can “set it and forget it.”

Data privacy today is in the same primitive, manual stage that digital ads were all those years ago.  Companies think privacy is complicated to implement because there’s no technology yet to make it programmatic. 

This is the problem we set out to tackle when we launched Ketch. Today we’re thrilled to emerge from stealth and to introduce our tech- and values-driven tools to the world. 

Ketch automates data privacy and governance through a coordinated set of applications, infrastructure, and enabling API’s.

What makes us different from other data privacy and security companies is that we do the heavy lifting of enacting privacy “behind the screen.” We integrate consumer privacy preferences programmatically into internal systems and external platforms -- customer relationship management, e-commerce, martech, analytics, and more.

For the past several years, we’ve watched with frustration as the debate over data privacy too frequently devolved into a zero-sum tradeoff: capture and use data to grow, or respect privacy but suffer the competitive consequences. 

That choice seems crazy to us. Data compliance shouldn’t be a moral or operational dilemma. Sure it’s a challenge, but one that technology guided by clear principles and great architecture can solve.  

As we got to work solving this challenge, we built Ketch on two core beliefs.

First, privacy is an essential human right. On the heels of corporate data breaches and growing understanding of Big Tech’s disrespect of consumers’ data, citizens and governments demand that our right to privacy be honored, monitored, and enforced. 

Second, data is fuel for GDP and growth. As long as they follow the rules, businesses should be able to acquire and use data in above-board, ethical ways. 

We reject the Sophie’s Choice that suggests a company can capture and use data to grow, or sacrifice advantage from data to comply. We see too many businesses overwhelmed by the proliferation of data regulations and the armies of well-meaning privacy lawyers explaining them all, without any means for enacting them into their own data systems. 

As data management geeks, my team and I appreciate and understand the rules, but we decided it was time to build tools that respect the data rights of consumers and companies alike. We’re incredibly excited about how it turned out. 

My co-founder, Vivek Vaidya, and I have spent more than two decades building leading data platforms, including Krux, acquired by Salesforce, and Rapt, acquired by Microsoft. And we’re thrilled to have secured $23 million in Series A funding from super{set}, CRV, Acrew Capital, Ridge Ventures, and Silicon Valley Bank to help us and our team of DreamKetchers execute the sprawling vision and multi-year plan we’ve laid out for ourselves. 

Ketch is live with dozens of happy customers today, and we stand ready to help your business embed trust and privacy into your core operations while harnessing data to fuel top-line growth. If you’re a doer who wants to help the world move from rules to tools that respect our data dignity and you’re looking for a new company-building opportunity, give us a call.

What Constitutes a “Sale” of Privacy Information under CPRA/CCPA?

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, are applicable to any for-profit business in California that meets any one of the following thresholds:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA)
  • Earning more than half of your annual revenue from selling personal information

If your revenue is less than $25 million, your customer base doesn’t exceed the threshold for the number of consumers or households, and you’re not earning revenue by selling personal information, you probably think that your business is exempt. However, under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather is broadly defined. That means you could technically be selling personal information, even if you don’t think you are. It’s therefore important to know what constitutes a “sale.” 

What’s in a Word?

CCPA/CPRA defines a “sale” of privacy information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” 

While this remains a vague aspect of the law, one can conclude based on the definition that even if your business is not directly being paid for consumer personal information (i.e., name, social security number, email or IP address, Internet browsing history, etc.), any such information that you make available by other means could still be considered a sale if you’re receiving “valuable consideration” in return. But what exactly is valuable consideration?

California law defines valuable consideration as any benefit, meaning it can be non-monetary such as assets, inventory, a service, discounts, promotion, or intellectual property. Really any tangible or nontangible business asset can potentially have valuable consideration. This includes targeted advertising based on a consumer’s behavior or preferences acquired via Internet analytics or tracking cookies. But there are exceptions.

Exceptions to Every Rule

First of all, under CCPA/CPRA, “selling” only refers to providing privacy data to third parties, which does not include service providers or contractors that perform a service required for your business to function. For example, if in selling your product or service, you provide personal information to a credit check bureau or fraud detection service to protect your business, this does not constitute a sale. In this scenario, service providers and contactors are also prohibited from “selling” personal information, and it’s up to you to ensure this requirement is covered in any terms and conditions. 

Another exception to disseminating privacy data occurs if your business has previously provided personal information to third-party entities and a customer then chooses to opt out—you’ll need to provide that customer’s identification information (i.e., email, account numbers, etc.) to third parties so they too can comply with the opt-out request. Additionally, if you’re selling assets as part of a business merger or acquisition to a third party that will take over control of the business, the transfer of personal information does not constitute a sale. And of course, if a consumer opts in, disseminating that user’s personal information also does not constitute a sale.

How Can You Be Sure?

At this time, it remains somewhat unclear as to whether all disclosures of personal information to third parties constitutes a “sale” under CCPA/CPRA. As specific legal cases arise and the California Privacy Protection Agency (CPPA) ramps up audits, enforcement, and education, it may become increasingly clear what constitutes a sale, but that doesn’t mean compliance can be put off until tomorrow. Rather than waiting for clarification and risking the penalties of non-compliance, any business handling privacy data would be wise to assess their risk today. And in today’s data-driven economy where information drives business decisions, it’s more than likely that you’re handling personal information.  

With cybersecurity attacks on the rise and users becoming increasingly concerned about how their data is used, you need to be sure that you’re maintaining consumer trust. To that end, it is recommended to engage with CCPA/CPRA legal and data experts to conduct a thorough data mapping that identifies all the ways your business systems acquire and disseminate personal information. These experts can help assess your risk and implement necessary orchestration policies and procedures to prevent any potential non-compliant “sale” of information. Because even if your business is unknowingly selling information per the definition of CCPA/CPRA, you can be held liable. 

CCPA/CPRA privacy data compliance is complicated. But with Ketch, it doesn’t have to be. Learn how we can help your business with data privacy today to reduce your risk tomorrow.

Do You Have a “Legitimate Interest” in the Data You Collect?

Under the GDPR, consent isn’t the only lawful basis for data processing

The European Union’s General Data Protection Regulation (GDPR) says that in order to collect and process personal data, an organization must have a “lawful basis” to do so. There are six specific ways that organizations can achieve that, and most are relatively straightforward: you’re in the clear if a data subject explicitly consents to a given use of their data, for instance, or if there’s an legal requirement for you to collect and process data in a certain way. 

But there’s one lawful basis that’s simultaneously widely used and poorly understood: the “legitimate interest” basis for data usage. According to the GDPR, data processing is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” — unless those legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject.” 

On the one hand, the GDPR clearly suggests that organizations can lawfully use personal data if they really need to. But it also clearly says that the “legitimate interest” basis for data processing can be canceled out by the countervailing interests of the data subject. That’s a tricky needle to thread: how can organizations decide whether their interests are “legitimate,” and how are they supposed to figure out whether their interests are “overridden” by those of the data subject?

The three-part test

The GDPR doesn’t clearly explain what constitutes a “legitimate interest,” so this is something organizations have to figure out for themselves on a case-by-case basis. The GDPR offers some examples of legitimate interests, such as use of client or employee data, fraud prevention, marketing, or identifying security breaches. Still, there are no hard-and-fast rules on which organizations can rely to ensure they’re covered by a “legitimate interest” basis for data processing.

Because of that, it’s helpful to think of the “legitimate interest” basis as a process rather than simply a set of fixed criteria. To meet your obligations, you need to be able to show that you’ve weighed your own “legitimate interest” against the interests of data subjects. The British Information Commissioner’s Office suggests using a three-part test to figure out whether your “legitimate interest” claim holds water:

  1. First, your data processing should have a clear purpose that serves either your organization’s interests or those of a third party. The key here is to be specific: your purpose can’t simply be to process data as an end in its own right, but should be a clear goal that delivers evident benefits to your organization. For instance, a company might have a clear interest in checking that it isn’t being defrauded, or in identifying potential security threats. 

  1. Next, your data processing should be necessary to achieve that goal. That doesn’t mean it’s the only way to achieve a certain goal, but it does mean that your data processing should be targeted and proportionate to your stated ends. If you’re trying to tackle fraud, for instance, you should only be processing data that’s directly related to that goal.  

  1. Finally, your data processing should be balanced against the interests and rights of the data subject. It’s important to show that you’ve carefully considered your data subjects’ rights, and that you’re doing your best to minimize any potential impact on them. This is especially important if you’re handling data pertaining to children, who are singled out for special protection under the GDPR.

Such tests are in some ways more art than science. Still, conducting and documenting a formal evaluative process is vital to show that you’re properly weighing your own legitimate interests against those of your data subjects. 

Expectations and objections

Besides the three-part test, there are two other important factors to consider. 

First, it’s generally acceptable to process data in ways that users should reasonably expect. This doesn’t mean that a specific user has to actually expect their data to be processed in a certain way — just that a reasonable person would likely make that assumption.

This gives organizations some leeway to process data for expected purposes such as fraud prevention or other routine operations. It’s also worth noting that if you communicate your practices to your users, they will be more likely to expect their data to be processed accordingly. A clear, detailed data privacy policy goes a long way toward supporting a “legitimate interest” basis for data processing.

Second, remember that the GDPR gives data subjects the right to object to the use of their data. That’s especially important for data processed under a “legitimate interest” rationale, when there can be grounds for differing opinions about whether data use is justified. 

If a user objects to your use of their data, the onus is on your organization to demonstrate not just that you have a legitimate interest, but a compelling interest to continue processing that data. That’s a high bar to clear, especially since you could face steep fines if you improperly persist in using personal data following an objection. 

Most objections result in organizations either halting data usage or deleting a user’s data. If such objections become widespread, you may need to explore using a different lawful basis to justify your data processing. 

A tech solution

So is a “legitimate interest” basis right for your organization? Well, it’s certainly worth considering if you want to use data in a way that brings a clear benefit to your organization, doesn’t carry significant risk of infringing on data subjects’ privacy rights, and that data subjects should reasonably expect to occur. 

Still, a “legitimate interest” rationale for data processing comes with a unique set of complexities, including documentation requirements and the need to respond quickly and effectively to objections raised by data subjects. 

At Ketch, we specialize in helping organizations to formulate data policies that can be applied instantly across your entire data ecosystem, providing trackable real-time data privacy and compliance capabilities without the need to rewrite code or rebuild your tech stack. If you’re considering using a “legitimate interest” basis for GDPR compliance, get in touch today, and find out how Ketch can take your organization’s data processing to the next level.

The Top 5 GDPR Compliance Mistakes and How to Avoid Them

The European Union’s General Data Protection Regulation (GDPR) is a complex and sweeping data protection law that has left companies all over the world scrambling to rethink their data handling processes.  Unfortunately, ensuring full compliance with the 88-page regulation isn’t easy. In fact, many companies are still making mistakes — and with penalties maxing out at 4% of annual global turnover, in addition to potential damages payable to affected users, slipping up can be costly.

Here are 5 of the biggest errors we see companies making as they figure out how to handle their obligations under the GDPR:

1. Assuming the GDPR doesn’t apply to you

As you’d expect virtually all companies with operations in the European Economic Area are required to comply with the GDPR. But that doesn’t mean you’re off the hook if you’re based elsewhere in the world. Under the terms of the GDPR, companies that collect or process data for the purposes of doing business with European customers must comply with the regulation. An occasional European visitor to your company’s website won’t necessarily trigger the GDPR. But if you’re soliciting business from Europeans, such as by advertising in Europe or including prices in euros, then you’re likely to fall under the regulation. 

2. Misunderstanding the scope of the statute. 

It’s easy to assume that as long as you’re getting users’ consent before you collect their personal data, you’ve insulated yourself against any potential problems. Unfortunately, though, the GDPR is much more far-reaching than that, and collecting consent is only the beginning. The GDPR actually secures 8 key rights for data subjects, including the right to amend or revoke consent; the right to obtain copies of or to amend any collected data; and the right to have their data “forgotten” or completely deleted, or to object to the ways in which it’s being processed. 

For most companies, that can’t be managed simply by asking permission to set various types of cookies to log consent. Instead, you’ll need a systematic approach that lets you track a user’s personal data throughout your system, and ensure it’s never used for purposes to which a user objects. You’ll also need to be able to extract data from your system, explain where and how it is used, or discontinue processing that data on demand. For companies affected by the GDPR, static cookie-based strategies simply aren’t good enough.

3. Counting on partners doing their jobs right.

In the modern world, dataflows don’t end neatly at the boundary of your organization — they spill over to third parties and outside partners. The GDPR makes clear that data controllers aren’t responsible solely for their own handling of a user’s data — they’re also directly liable for any errors or missteps made by other processors, such as downstream partners and vendors, who use the data.

In other words, it’s no longer enough to simply put policies in place to manage your own handling of personal data. You also need to ensure that you’re promptly and reliably communicating with partners about how data can be processed. If your user revokes consent, that signal needs to propagate promptly across your entire data ecosystem, including any third parties who’ve accessed the data, in order to shield you from potential liability for GDPR noncompliance. 

4. Expecting IT pros to be policy experts (and vice versa)

GDPR compliance requires both policy chops (to figure out how personal data should be handled) and IT savvy (to figure out how to implement that across your data ecosystem). Too often policy experts feel obliged to weigh in on IT implementations, or IT teams have to parse the nuances of the statute when writing code. That can lead to mistakes as people step outside their areas of expertise, or slow the pace of innovation as projects are increasingly run by committee and require multiple stages of legal and technical approval.

The key for successful GDPR compliance is to develop an approach that allows legal teams to define acceptable forms of data usage, then rapidly and frictionlessly translate those perspectives into actionable guidance for IT teams. In an ideal world, your legal teams should never need to read a line of code, and your IT specialists should never need to wade into the dense legal language of the GDPR itself.

5. Dealing with the GDPR in isolation

The GDPR has changed the face of global data privacy regulation; increasingly, in the post-Snowden world, regulators are looking to create muscular regulatory frameworks that place significant new burdens on data controllers and processors. But here’s the rub: while many of the frameworks now being implemented share the same goals, they impose unique and varying obligations upon organizations. 

It isn’t enough to simply upgrade your data-handling infrastructure to ensure GDPR compliance. Instead, organizations need to create flexible and responsive systems that can rapidly adapt to new regulations and requirements as they are introduced. From new data laws in California and Brazil to sweeping privacy measures in India and China, organizations need to plan for the future, and put infrastructure in place to help them remain compliant with a fluid and constantly changing global regulatory landscape.

All of these mistakes are easy to make. Fortunately, they’re also easy to avoid. The key is to take the GDPR seriously, and not to try to handle everything internally. Whether it’s mastering the policy nuances or figuring out how to translate them into workable IT and data-handling infrastructure, it pays to partner with a specialist. 

That’s where Ketch comes in. Our founding team’s background in advertising and marketing technologies and data infrastructure gives us a deep understanding of the ways that data flows through modern businesses. We also understand the challenges that companies face as they try to adapt those dataflows to the requirements of the GDPR without disrupting their daily operations. 

Using our technology and our in-house expertise, we can translate your specific requirements and obligations under the GDPR into customized, crystal-clear data-management policies. Crucially, we also automate the process of querying datasets subject to those policies — so your coders and developers can implement call-outs to automatically check whether a specific action is permissible for a specific item of personal data. 

With Ketch, your IT teams don’t have to fret about the nuances of privacy laws, and your legal teams don’t lose sleep over specific implementations. And because permissions are handled centrally, you can be confident that any changes will propagate instantly across your entire data ecosystem, including outside partners, to ensure continuous GDPR compliance. 

That adds up to a frictionless and robust toolkit for companies affected by the GDPR. So stop fretting about making costly mistakes — and get in touch with Ketch to find out how we can streamline your data compliance.

Introducing PrivacyGrader

Today the Ketch team is excited to introduce PrivacyGrader, a tool that helps solve the complex and critical problems of consumer data privacy and security.

It’s no secret that data protection is one of the biggest and hardest challenges we face today.  This year, data breaches continued to be constant headline news.  By one account, the average cost of a breach to a U.S. company is now more than $8.5 million

In addition to the direct costs of data breaches, the ripple effects of decreased consumer confidence in e-commerce and online media could have severe impacts on our economy – especially at a time when online experiences have never been more essential to our lives.  

This is a big, complicated problem that even the biggest companies struggle to manage.  Many small and medium-sized companies don’t even know where to begin.  

That’s where PrivacyGrader comes in.  It’s a starting point for companies to diagnose their data privacy performance, and then to begin the process of improving it.  With simple, practical steps. 

This is the kind of challenge our team loves:  Tackling big problems and coming up with elegant solutions that serve an important purpose.

PrivacyGrader works by analyzing your website's collection and use of personal data.  It assesses multiple elements of your privacy procedures and doesn’t just help you find the problems – it identifies the steps you need to take to address them. We provide the analysis to any company at no cost.

Trust is vital for all of us as we deepen our commitment to an increasingly connected, digital lifestyle.  At Ketch, we don't see a zero-sum world where consumer privacy is protected and online businesses lose. We believe that both consumers and businesses can prosper together, and we built PrivacyGrader to help bridge the divide.  We hope you’ll give it a try and let us know what you think.