The General Data Protection Regulation


The General Data Protection Regulation(GDPR) is an important piece of legislation that is designed to strengthen and unify data protection laws for all European Union (EU) citizens. The regulation will be effective from 25th May 2018.

Our commitment:
CAKE is fully committed to complying with its obligations under the GDPR.

In this page we cover:

What is CAKE doing about the GDPR? 

CAKE began to dedicate internal resources to the GDPR in September 2017 to ensure that the right steps are taken to address the requirements under the new law. At CAKE, we take compliance and enforcement of data security seriously as also evidenced by our Type 1 SOC 2 certification at the end of 2017.

CAKE has also engaged with our in-house counsel, UK counsel and other consultants in our pursuit of GDPR readiness.

Here’s a snapshot of our GDPR Roadmap and where we are on our GDPR journey:

In Progress:

  1. Rewrite our Privacy Policy
  2. Rewrite our Data Protection Agreement
  3. Perform necessary changes/improvements to our product based on the requirements
  4. Implement required changes to our internal processes and procedures
  5. Thoroughly test all of our changes to verify and validate compliance with GDPR
  6. Continued assessment of our compliance and introduction of any necessary updates as practice and guidance develops


  1. Appoint a Data Protection Officer (DPO)
  2. Develop a strategy and requirements to address the areas of our product impacted by GDPR
  3. Thoroughly research the areas of our product and our business impacted by GDPR

What are the changes CAKE is making to be GDPR Compliant?

We are taking many steps across the entire company to prepare our company for the GDPR, from updating our contractual documentation to introducing the required internal processes and policies. Towards the end of 2017, CAKE became Type 1 SOC 2 certified to help define an Information & Security Policy and Procedure. As we move towards GDPR compliance, CAKE intends to also become US Privacy Shield certified to provide the legal framework for personal data transfers between our global offices and, where relevant, from other EEA locations directly to our US hosting centers. CAKE client infrastructure is hosted on AWS which complies with the CISPE code of conduct. The CISPE Code of Conduct helps cloud customers ensure that their cloud infrastructure provider complies with data protection obligations under the GDPR.

What do CAKE Customers need to do?

The GDPR imposes a set of obligations and requirements on Data Controllers (those who decide how and why information about individuals is processed) and Data Processors (those who process such information on behalf of data controllers) to: 1) strengthen the security and protection of personal data in the EU and 2) give greater protection and rights to individuals whose data is being used by companies. Although CAKE is taking steps to prepare for the GDPR both as a Data Controller (the personal data we process about our employees and about you, our customers) as well as a Data Processor (the personal data we process on your behalf), our customers will also need to ensure they are ready to meet their obligations under the GDPR. All of our customers will, of course, need to assess their own obligations under the GDPR and take advice, as appropriate. In relation to your relationship with CAKE, each customer will need to sign our “GDPR addendum” which will add clauses required by the GDPR to our contractual relationship with you.

What is GDPR?

The GDPR is widely considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. 

The GDPR regulates the “processing” of personal data about individuals in the European Union. “Processing” includes doing anything with personal data, such as collecting, storing, transferring it or using it in any way. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

This legislation gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.

The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.

In summary, here are some of the key changes that will come into effect: expanded rights for individuals, compliance obligations, data breach notification and security, restrictions on profiling and monitoring, and increased enforcement with high fines.

If you have any questions, please don’t hesitate to contact us at

Additional GDPR Resources

Additional information can be found on the Information Commissioners Office (ICO)

Go to ICO