The GDPR is the European Union’s new, comprehensive privacy and data protection law that will take effect on May 25, 2018. The primary aim of the GDPR is to regulate how the personal data of EU residents is processed – even by businesses that have no physical or legal presence in the EU. Organizations can face hefty fines for non-compliance: up to €20 million or 4 percent of annual global revenue, whichever is higher.
There is not yet any kind of recognized GDPR certification scheme. Keap is taking the necessary steps to ensure that it is in compliance with the GDPR in advance of the implementation date of the new law.
Keap will offer customers and partners a new Data Processing Addendum (“DPA”). Signing the DPA amends our standard terms of service to reflect obligations required under the GDPR. This is the instrument that you can rely on to have certainty that Keap will comply with the GDPR when it comes into effect on May 25, 2018. It amounts to a guarantee that Keap will be GDPR compliant.
Keap will offer a new Data Processing Addendum, that will replace our prior DPA. The new DPA isn’t dramatically different from our old DPA, but it does address all of the GDPR-specific concepts. For reference, the old DPA is available here: https://keap.com/legal/dpa.
The new DPA will govern the terms by which Keap, as a data processor, processes data on behalf of its customers (who are typically data controllers) in accordance with Article 28 of the GDPR. According to Article 28 of the GDPR, data processors must act only upon the documented instructions of the data controller unless otherwise required by law. This, however, does not relieve Keap of any of its obligations or liabilities under the GDPR. Keap will be required to ensure that it is in compliance with the GDPR.
Keap’s DPO is: Matthew Joseph, CIPP/US
Email address: [email protected]
In accordance with Article 38 of the GDPR, members of the public may contact the DPO with regard to issues related to processing of their personal data and to exercise their rights under the GDPR – for example, to object to the processing of their data in cases where the data controller (i.e., Keap’s customer) does not provide an adequate response.
Keap’s Article 27 Representatives are:
Matthew Joseph, CIPP/US
Zahradníčkova 1220/20A
Prague 150 00
Czech Republic
https://www.verasafe.com/privacy-services/contact-article-27-representative/
VeraSafe Ireland LTD
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork 123AT2P
Ireland
https://www.verasafe.com/privacy-services/contact-article-27-representative/
In accordance with Article 27 of the GDPR, supervisory authorities and persons whose personal data are being processed by Keap may contact VeraSafe (Keap’s Article 27 Representative) on all issues related to processing, for the purposes of ensuring compliance with the GDPR.
Keap is currently re-papering vendor contracts and working with vendors to ensure they are compliant by adding a settings pane for customers to provide Keap with the information required under Article 30(2) of the GDPR.
Keap is continuing to review its security measures, as we always do, to stay at the forefront of evolving industry standards and best practices.
We have appointed a representative in the EU and an expert Data Protection Officer and are in the process of delivering a new Data Processing Addendum, all of which will ensure we’re satisfying the subcontracting obligations of a data processor under the law.
Each organization that processes personal data, and that’s regulated by the GDPR, will face its own obligations to comply with the GDPR. While using a GDPR-compliant software product like Keap can make it easier to comply, much of how you collect, use, and dispose of personal data is not determined by Keap. Thus, each organization should get its own professional guidance on the topic to help ensure compliance. Here are some resources from the UK Information Commissioner’s Office: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/.
We've also compiled an Keap-specific guide to help you prepare for GDPR: https://keap.com/legal/gdpr-readiness-guide.
Watch our GDPR Readiness Webinar here.
Yes, we’re planning to release new features to help users manage their compliance with a number of key pain points in the law. This includes a set of features to help Keap users manage the basis of processing (such as consent management) for their contacts, to make it easy to anonymize personal data (i.e., the right to be forgotten), and a customizable “block list” feature to help ensure that if someone asks you to never process their personal data, that their personal data can’t be re-imported into your application. These features will help our users to comply with many of their fundamental obligations under the GDPR.
Typically, an Keap customer will be considered as a data controller (i.e., an organization that determines the purposes and means of the processing of personal data) and Keap will always be considered a data processor under the law. Controllers and processors each have their own respective obligations under the law. Therefore, Keap’s GDPR compliance plan looks a bit different from that of many of our customers. This doesn’t mean Keap can’t be used by data controllers – quite the opposite. When a data controller engages a service provider like Keap, the service provider is typically a data processor acting on behalf of the controller, and the processor acts at the behest of the controller. As stated above, Keap’s DPA will govern the relationship, and the nature of the processing activities, as between Keap and its customers, regardless of which entity plays which role.
Not necessarily. There are other permitted bases for processing personal data under Article 6 of the GDPR, such as the need to process personal data for the performance of a contract, or the legitimate interests of the data controller or another party. However, if you will be processing personal data based solely on the consent of the individual, you likely need to re-acquire consent from these “old” contacts.
Under the GDPR, personal data may only be transferred outside the European Economic Area (commonly referred to as the “EEA” and which consists of the EU, plus Norway, Iceland, and Liechtenstein) in certain circumstances, such as to a country whose data protection laws are deemed "adequate" by the European Commission, or by relying on an approved data transfer mechanism.
Keap currently offers customers the EU Model Contract to enable the lawful flow of personal data from the EEA to Keap in the United States. The EU Model Contract contains standard contractual clauses which are approved by the European Commission, and which govern the lawful transfer of data from the EEA to countries outside of the EEA. Under the GDPR, additional legitimate methods of exporting personal data outside the EEA may be introduced. In the event of any changes to or new rules associated with the GDPR, Keap will review and respond appropriately.
The Keap Data Security Statement goes well beyond the customary confidentiality clauses found in the business terms of many SaaS providers. The Statement describes some of the specific data security controls that Keap has implemented and, by publishing the information, legally obligates us to maintain the high standard of data security that’s described in the Statement.
The Data Security Statement can be found here: https://keap.com/legal/data-security
Keap adheres to, and is audited annually for compliance with, the Payment Card Industry Data Security Standard, which is a rigorous data protection framework oriented towards the protection of payment card data.
Our most recent PCI DSS audit documentation is available upon request. Please contact [email protected] if you require the documentation.