GDPR — The General Data Protection Regulation

The General Data Protection Regulation(GDPR) is an important piece of legislation that is designed to strengthen and unify data protection laws for all European Union (EU) citizens. The regulation went into effect May 25th, 2018.

Our commitment:

CAKE is fully committed to complying with its obligations under the GDPR and other privacy regulations.

How did CAKE prepare for the GDPR? 

CAKE began to dedicate internal resources to the GDPR in September 2017 to ensure that the right steps were taken to address the requirements under the law. At CAKE, we take compliance and enforcement of data security seriously, as evidenced by our annual SOC 2 Type 2 and SOC 1 Type 2 certifications.

CAKE also engaged with our in-house counsel, UK counsel, and other consultants in our pursuit of GDPR readiness.

A snapshot of CAKE’s GDPR Roadmap:

Like preparing for any new privacy regulation, making sure we were on track to be GDPR compliant on time took planning and collaboration across multiple departments. Steps we took to prepare include, but are not limited to: 

1. Appoint a Data Protection Officer (DPO)
2. Develop a strategy and requirements to address the areas of our product impacted by GDPR
3. Thoroughly research the areas of our product and our business impacted by GDPR
4. Rewrite our Privacy Policy
5. Implement required changes to our internal processes and procedures
6. US-EU-Swiss Privacy Shield Application Submitted
7. Rewrite our Data Protection Agreement
8. Perform necessary changes/improvements to our product based on the requirements
9. Thoroughly test all of our changes to verify and validate compliance with GDPR
10. Continued assessment of our compliance and introduction of any necessary updates as practice and guidance develops

What are the changes CAKE made to be GDPR compliant?

We took many steps across the entire company to prepare for the GDPR, from updating our contractual documentation to introducing the required internal processes and policies. CAKE became SOC 2 Type 2 and SOC 1 Type 2 certified to help define an Information & Security Policy and Procedure.

In addition, CAKE client infrastructure is hosted on AWS, which complies with the CISPE code of conduct. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider complies with data protection obligations under the GDPR.

What do CAKE Customers need to do to be GDPR compliant?

The GDPR imposes a set of obligations and requirements on Data Controllers (those who decide how and why information about individuals is processed) and Data Processors (those who process such information on behalf of data controllers) to:

1. strengthen the security and protection of personal data in the EU; and
2. give greater protection and rights to individuals whose data is being used by companies

CAKE has taken steps to be GDPR compliant, both as a Data Controller (the personal data we process about our employees and about you, our customers) as well as a Data Processor (the personal data we process on your behalf). However, our customers also need to ensure they meet their obligations under the GDPR. Every customer needs to assess their own obligations under the GDPR and take advice, as appropriate.

What is GDPR?

The GDPR is widely considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years. It replaced the 1995 Data Protection Directive. 

The GDPR regulates the “processing” of personal data about individuals in the European Union. “Processing” includes doing anything with personal data, such as collecting, storing, transferring it or using it in any way. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

This legislation gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, the GDPR means: expanded rights for individuals, compliance obligations, data breach notification and security, restrictions on profiling and monitoring, and increased enforcement with high fines.

If you have any questions about CAKE’s GDPR compliance or your obligations as a CAKE customer, please don’t hesitate to contact us at compliance@getcake.com.