EU General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and the new Data Protection Act (DPA) 2018 also came into force around the same time. Both legislations will provide a single regulation across the European Union (EU) and place obligations on organisations that operate outside of the EU but provide goods or services to EU citizens.

Our Commitment

KeyedIn Solutions is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law and abides by the data protection principles. However, we recognised our obligations in updating and expanding this programme to meet the demands of the GDPR.

KeyedIn Solutions is compliant with our obligations under GDPR with respect to the provision of our Cloud Services in the EEA (where we are a Data Processor). Data Processing agreements are in place with sub-processors and appropriate transfer mechanisms are in place were data is accessed from outside the EEA.

Where we act as a Data Controller, our Data Impact Assessments and Supplier agreement/contract reviews have been completed.

Cross-Border Data Transfer

KeyedIn Solutions is a company headquartered in the United States of America. Our USA entity, KeyedIn Solutions Inc, is registered with EU-US Privacy Shield and Swiss-US Privacy Shield. Our Privacy Shield certifications with the United States Department of Commerce provide a legal basis for cross - border data transfers under the EU GDPR. This shows our commitment to the 7 key Privacy Shield principles. Our Privacy Shield Framework Listing can be found at https://www.privacyshield.gov/participant?id=a2zt0000000TSHIAA4&status=Active

For more information about the Privacy Shield program, please visit www.privacyshield.gov.

We are contracted with TRUSTe to act as our third-party dispute resolution provider within the USA.

Our Corporate (where we act as a data controller) and Platform (where we act as a data processor) Privacy Policies have been revised to incorporate our GDPR obligations and can be found on our website at https://www.keyedin.com/uk/privacy-policy.

Suppliers

KeyedIn Solutions have undertaken a review of supplier and third-party contracts and arrangements to ensure that all of our partners apply the high standards of data protection that we and our customers expect.

Certifications

KeyedIn Solutions are currently working towards ISO 27001.

Data Impact Assessments & Data Inventory

We have taken a comprehensive review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records; these processes have been documented in our data retention and destruction polices. Data assessments that have been completed covered: information flow, data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.

Training & Awareness

Our security training has been revised and formalised in order to provide awareness of GDPR and its impact on the policies, procedures, and responsibilities of all employees. This was rolled out through our corporate Learning Management System.

In addition to the corporate Learning Management System we have numerous detailed polices in place which cover a wide range of aspects ranging from Information Classification and Handling to Access Control. All current KeyedIn and new KeyedIn employees sign these polices confirming that they have read and acknowledged these policies when processing and handling data. These polices are reviewed and re-issued to all KeyedIn employees to sign annually.

Security

KeyedIn Solutions protects your data from inappropriate access or use by unauthorized individuals with robust measures, including restricting access by KeyedIn Solutions personnel and subcontractors.

To provide our Cloud Services we use Tier III standard data centres certified to ISO 27001, protected by 24-hour physical surveillance, and continuously monitored using strict access controls.

KeyedIn Projects has built-in security features to help you secure your data, including encryption in transit, encryption at rest, comprehensive role-based access control, and support for SAMLv2 SSO.

Data Protection Officer

KeyedIn Solutions does not capture or hold any special category data therefore, a Data Protection Officer has not been appointed.

The Information Security Management Team (ISMT) will work with other key areas of the business to manage our Data Protection obligations.

Cloud Service Terms and Conditions

A standard data processing agreement to be used alongside our Cloud Service Terms and Conditions is in place.

Direct Marketing and Obtaining Consent

Our opt-in mechanisms for marketing subscriptions can be found on all KeyedIn websites and subsequent marketing materials. Our unsubscribe, privacy practices and statement regarding our commitment to protecting your privacy can all be found within our privacy policy. All KeyedIn websites have a link to our privacy policy.

We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.