KeyedIn Solutions GDPR Readiness Statement March 2018

EU General Data Protection Regulation

The EU General Data Protection Regulation (“GDPR”) comes into effect in May 2018 and applies to all businesses who hold or process personal data of EU individuals. The GDPR sets out the responsibilities of businesses in relation to the personal data they collect and hold and it also governs the processes businesses use for managing that personal data.

GDPR readiness activities leverage our existing processes, policies, and certifications, in particular our ongoing compliance with EU data privacy laws.

Our Commitment

KeyedIn Solutions is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this programme to meet the demands of the GDPR.

KeyedIn Solutions is compliant with our obligations under GDPR with respect to the provision of our Cloud Services in the EEA (where we are a Data Processor). Data Processing agreements are in place with subprocessors and appropriate transfer mechanisms are in place were data is accessed from outside the EEA.

Where we act as a Data Controller we are confident that our Data Impact Assessments and Supplier agreement/contract reviews will all be completed by 25th May 2018.

Our Preparations

Cross-Border Data Transfer

KeyedIn Solutions is a company headquartered in the United States of America. Our USA entity, KeyedIn Solutions Inc, is registered with EU-US Privacy Shield and Swiss-US Privacy Shield. Our Privacy Shield certifications with the United States Department of Commerce provide a legal basis for cross - border data transfers under the EU GDPR. This shows our commitment to the 7 key Privacy Shield principles. Our Privacy Shield Framework Listing can be found at https://www.privacyshield.gov/participant?id=a2zt0000000TSHIAA4&status=Active

For more information about the Privacy Shield program, please visit www.privacyshield.gov

We have contracted with TRUSTe to act as our third party dispute resolution provider within the USA.

Our Corporate (where we act as a data controller) and Platform (where we act as a Data Processor) Privacy Policies have been revised to incorporate our GDPR obligations and can be found on our website at https://www.keyedin.com/privacy-policy.

Suppliers

KeyedIn Solutions is currently undertaking a review of all supplier and third party contracts and arrangements to ensure that all of our partners apply the high standards of data protection that we and our customers expect.

Certifications

KeyedIn Solutions is currently working towards ISO 27001 certification. The formalisation of our corporate Policies and Procedures to achieve this certification will also contribute to our readiness for GDPR.

Data Impact Assessments & Data Inventory

We are undertaking a full review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records. Assessments of the data will review information flow, any data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.

Training & Awareness

Our previous security training has been revised and formalised in order to provide awareness of GDPR and its impact on the new policies, procedures, and responsibilities of all employees. This will have been rolled out to all members of the organisation prior to May 25th 2018 through our corporate Learning Management System.

Security

KeyedIn Solutions protects your data from inappropriate access or use by unauthorized individuals with robust measures, including restricting access by KeyedIn Solutions personnel and subcontractors.

To provide our Cloud Services we use Tier III standard data centres certified to ISO 27001, protected by 24‑hour physical surveillance, and continuously monitored using strict access controls.

KeyedIn Projects has built‑in security features to help you secure your data, including encryption in transit, encryption at rest, comprehensive role‑based access control, and support for SAMLv2 SSO.

Data Protection Officer

KeyedIn Solutions does not capture or hold any special category data, therefore a Data Protection Officer has not been appointed.
The Information Technology Management Team will work with other key areas of the business to manage our Data Protection obligations.
Cloud Service Terms and Conditions Our Cloud Service terms and conditions revised to incorporate GDPR obligations are almost ready to be published. A standard data processing agreement to be used with our clients is also ready.

Direct Marketing and Obtaining Consent

We are revising the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials. We are revising our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.