EU General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and the new Data Protection Act (DPA) 2018 also came into force around the same time. Both legislations will provide a single regulation across the European Union (EU) and place obligations on organisations that operate outside of the EU but provide goods or services to EU citizens.
KeyedIn Solutions is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection programme in place which complies with existing law and abides by the data protection principles. However, we recognised our obligations in updating and expanding this programme to meet the demands of the GDPR.
KeyedIn Solutions is compliant with our obligations under GDPR with respect to the provision of our Cloud Services in the EEA (where we are a Data Processor). Data Processing agreements are in place with sub-processors and appropriate transfer mechanisms are in place were data is accessed from outside the EEA.
Where we act as a Data Controller, our Data Impact Assessments and Supplier agreement/contract reviews have been completed.
Cross-Border Data Transfer
KeyedIn Solutions is a company headquartered in the United States of America. Our USA entity, KeyedIn Solutions Inc, is registered with EU-US Privacy Shield and Swiss-US Privacy Shield. Our Privacy Shield certifications with the United States Department of Commerce provide a legal basis for cross - border data transfers under the EU GDPR. This shows our commitment to the 7 key Privacy Shield principles. Our Privacy Shield Framework Listing can be found at https://www.privacyshield.gov/participant?id=a2zt0000000TSHIAA4&status=Active
For more information about the Privacy Shield program, please visit www.privacyshield.gov.
We are contracted with TRUSTe to act as our third-party dispute resolution provider within the USA.
Our Corporate (where we act as a data controller) and Platform (where we act as a data processor) Privacy Policies have been revised to incorporate our GDPR obligations and can be found on our website at https://www.keyedin.com/uk/privacy-policy.
KeyedIn Solutions have undertaken a review of supplier and third-party contracts and arrangements to ensure that all of our partners apply the high standards of data protection that we and our customers expect.
KeyedIn Solutions are currently working towards ISO 27001.
Data Impact Assessments & Data Inventory
We have taken a comprehensive review of the data we store, manage, maintain, collect, process and control. This includes offline storage and paper records; these processes have been documented in our data retention and destruction polices. Data assessments that have been completed covered: information flow, data transfers, risk reviews, and structural position in relation to Lawfulness, Purpose, Minimisation, Accuracy, Consent, Limitation, Integrity & Confidentiality, Record Keeping and Accountability.
Training & Awareness
Our security training has been revised and formalised in order to provide awareness of GDPR and its impact on the policies, procedures, and responsibilities of all employees. This was rolled out through our corporate Learning Management System.
In addition to the corporate Learning Management System we have numerous detailed polices in place which cover a wide range of aspects ranging from Information Classification and Handling to Access Control. All current KeyedIn and new KeyedIn employees sign these polices confirming that they have read and acknowledged these policies when processing and handling data. These polices are reviewed and re-issued to all KeyedIn employees to sign annually.
KeyedIn Solutions protects your data from inappropriate access or use by unauthorized individuals with robust measures, including restricting access by KeyedIn Solutions personnel and subcontractors.
To provide our Cloud Services we use Tier III standard data centres certified to ISO 27001, protected by 24-hour physical surveillance, and continuously monitored using strict access controls.
KeyedIn Projects has built-in security features to help you secure your data, including encryption in transit, encryption at rest, comprehensive role-based access control, and support for SAMLv2 SSO.
Data Protection Officer
KeyedIn Solutions does not capture or hold any special category data therefore, a Data Protection Officer has not been appointed.
The Information Security Management Team (ISMT) will work with other key areas of the business to manage our Data Protection obligations.
Cloud Service Terms and Conditions
A standard data processing agreement to be used alongside our Cloud Service Terms and Conditions is in place.
Direct Marketing and Obtaining Consent
We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information.