Mavenlink & Kimble have joined forces to become Kantata. Learn More

Contact Us

Kimble's Approach to GDPR

Facebook, Google, and Instagram are all facing potential lawsuits under the European Union’s new data privacy regulations GDPR. It will take some time before the courts start to interpret the cases and decide whether these North American behemoths are in breach or not, but the cases have firmly hit home the point that this legislation has global reach.

Salesforce CEO Marc Benioff has welcomed GDPR and is calling for similar legislation to be introduced in North America, predicting that a similar law will soon hit the statute books in California at least.

We at Kimble have been prepared for GDPR for some time – although we now do more than half of our business in the US, we were founded in London in 2011 and have many European clients. Our CMO Mark Robinson presented on the subject of GDPR at the Salesforce conference Dreamforce in San Francisco in 2017, and we also took part in a Salesforce ISV Webinar. We sponsored a podcast with global GDPR expert Ardi Kolah available here, and Elements Cloud, which offers GDPR compliance tools, presented a seminar on this at our recent customer conference in the UK.

Most of what the regulations demand is what we already regard as best practice. The basic principles of GDPR – minimizing the amount of personal, private data you hold, being careful what you do with it and with whom you share it; being transparent with individuals about what information you hold on them and what you plan to do with it – all fit well with how Kimble operates.

We hold very little personal data and we have introduced design features into the current version of Kimble Professional Services Automation software to help our customers to become and remain compliant. Salesforce is our key sub-processor and we are leveraging its capability to streamline this process.

Minimal personal information is inherent in Kimble’s product design

  • We don’t hold sensitive, financial information.
  • We hold very little personal information.

The GDPR regulations are concerned with personal data. They do not cover business information such as profit and loss, revenue forecasts, KPIs and so on, which make up the large majority of the data that Kimble holds.

It makes sense to keep the amount of personal data about employees, customers, and partners that is held by each organization to a minimum. Personal information that is no longer required, irrelevant or outside the scope of what is necessary for the smooth running of the business should be deleted, redacted or handed over to the individual to whom it belongs.

Under the regulations, organizations also share responsibility for what happens to personal data they hand over for whatever reason to other businesses. So our customers want to know that we are compliant, and we have established that our sub-processors are also compliant. At Kimble, we worked hard with our lawyers to ensure that we were able to issue a strongly GDPR-compliant Data Processing Addendum.

Transparency is key to GDPR compliance

  • Customer Contracts: We’ve issued a GDPR compliant Data Processing Addendum to all our customers
  • Privacy Statement: We have published an updated privacy statement as part of us being Open and Transparent
  • Sub Processors: We have ensured that we have GDPR compliant contracts in place with our own sub-processors.

GDPR gives individuals the right to transparency over their information – people can ask to see what information an organization is holding about them. They can correct it if it is wrong and in certain circumstances, they could ask for it to be deleted. But the strongest provision is the right to see what information is there, and it should be provided without undue delay or cost.

Where individuals’ personal data is sought and collected and perhaps shared with other organizations, the person concerned has to be informed and to consent to that use.

To comply, businesses need to be in a position to record that consent, and to show regulators what personal data they hold and why, for how long, and what the company procedures are for managing this processes.

Kimble enables customers to use automation to streamline some of what could otherwise be a time-consuming manual process.

Automation can streamline the process

Product Features included in Kimble Summer 18:

  • Subject Access Request
  • Anonymising Data
  • Consent for Invoicing emails

Subject Access Request

When someone asks to see the information about them, that is called a Subject Access Request or SAR. One scenario in which this might apply for a PSO would be a former employee inquiring about the information that is still held on them. To comply with the Right of Access and support Subject Access Requests, Kimble has introduced the ability to export a list of all Resource Mentions for a Resource whose tenure has ended.

Redact Resource

The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.  To comply with the Right to be Forgotten, Kimble has introduced the ability to redact all mentions of a Resource whose tenure has ended, redacting their name and email address in all Kimble fields.

Opt-out Billing Field

Consent is one lawful basis for processing data under the GDPR. The GDPR sets a high standard for consent, the biggest change from earlier Data Protection regimes is what this means in practice. The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). To comply with the Consent lawful basis for processing, Kimble has introduced the ability to exclude Contacts who do not consent when dispatching Invoices, Supplier Invoices, and Credit Notes.

GDPR creates shared responsibility with sub-processors

  • Salesforce is Kimble’s key Sub processor
  • We can leverage Salesforce ‘Trust’ principle, security of data on the Salesforce platform (i.e. to minimize the risk of a Breach).
  • Salesforce has an extensive GDPR compliance programme and supporting collateral.

Formerly, if one organization shared personal data with another, it could leave the secondary organization to take care of its own compliance with regulations. The primary organization didn’t have any legal obligation to ensure compliance.

But GDPR creates shared responsibility across the data chain. That means that if one organization chooses to share personal information on its employees, customers or partners with another company, they are responsible for what the sub-processors do with it. This is particularly important for Professional Services Organizations who often manage data for others.

Kimble is native to the Salesforce platform and the vast majority of our clients’ data is processed there, amounting to millions of hours of time every month. We are fortunate in having Salesforce as our key sub-processor as they have an extensive GDPR compliance programme.

Salesforce CEO Marc Benioff has welcomed the strengthening of individuals’ rights over their data. The organization is working to support customers and partners in the Salesforce ecosystem to comply with the regulations.


Organizations which are truly customer-centric and which value transparency are in a good position to establish a strong workplace culture of compliance with GDPR. Once the right processes are established, Kimble professional services automation can help to streamline them.