For more information, please read “Kimble’s Approach to GDPR”.

What is GDPR?

The General Data Protection Regulation (GDPR) is the new data privacy regulation aiming to strengthen and unify data protection laws for individuals within the European Union. Any company failing to comply with GDPR’s rules may face fines up to €20m or 4% of revenue whichever is the larger.

Who does it apply to?

GDPR applies to any company whose data processing concerns the personal data of European Union data subjects, irrespective of the company’s location. It also impacts any other companies involved with the downstream processing of personal data.

Some commonly used GDPR terminology

Data SubjectThe individual for whom particular personal data is about.
Data ControllerThe body/entity who determines the purpose of the personal data and the means by which personal data is processed
Data ProcessorThe body/entity who processes personal data on behalf of the controller
Data Sub-ProcessorThe body/entity sub-contracted by the Data Processor to process personal data.

What are the obligations of the bodies involved in the processing of personal data?

  • The company using Kimble is regarded as the Data Controller and needs to ensure it has the Data Subject’s permission to use its personal or sensitive data or consideration has been given to the legitimate reason for storing the data.
    Such personal data includes:

    • Contact details (name, email address) for users of Kimble
    • Related information stored in relation to that individual (e.g. Timesheets, Expenses).
    • Contact details relating to Proposals that are being developed in support of sales of the company’s goods & services.
  • Kimble, as the Data Processor, needs to demonstrate that it has the controls in place to adequately process the personal data owned by the Data Controller.
  • In support of this we will be issuing an addendum to our Master Subscription Agreement to cement our obligations as a Data Processor
  • Salesforce, as the Sub Processer, needs to demonstrate it has the controls in place as part of its responsibilities for providing the underlying platform to adequately process the Data Subject’s personal data.
    • Kimble already has a Data Processing Agreement in place with Salesforce.
    • The customer accepts a Salesforce Terms of Use agreement which forms part of the Kimble Sales Order.

How is Kimble supporting Customers with their compliance?

There are a number of things within our product which are either strengthened or are new as part of GDPR.

Existing product capabilities already provide the ability to manually address the following:

  • Rights
    • Right to be Forgotten/Rectification
    • Right to restrict Processing
    • Data Portability
  • Security
    • User Roles & Permissions
    • Ability to support anonymised data
    • Standard features available on

In addition, we will be introducing further product enhancements for Summer 18 to address:

  • Right to be Forgotten (To anonymise related information)
  • Subject Access Requests
  • Consent for Contacts

What happens if you have an existing contract?

Customers will continue to be covered by their existing contracts, but there is now a Data Processing Addendum (DPA) which addresses the Data Protection clauses required for GDPR. Customers do not need to do anything, as they will be automatically covered by continuing to use Kimble after the 25th May 2018.

  1. Master Subscription Agreement (Licence Agreements)
    Note : Older versions of the Master Subscription Agreement have slightly different clauses so your organisation will have been contacted with details of which Addendum applies.
  2. Master Services Agreement (Consulting Services)

      What do the Data Protection Clauses cover?

  • The new clauses address Kimble responsibilities as a Data Processor and the basis upon which we may transfer data outside of the EU. (For example for access by Salesforce or Kimble US operations for support purposes)
  • Kimble have agreements in place to cover Standard Contractual Clauses (previously referred to as EU Model Clauses), Binding Corporate Rules and EU Privacy Shield.

What are we doing ourselves?

Kimble is already compliant with the UK Data Protection Act 1998. Since Q2 2017 we have been running a comprehensive GDPR Compliance Programme which is on track to be compliant prior to the May 2018 deadline.

  1. GDPR Compliance Programme:
    • Appointed a Data Protection Office (DPO)
    • Adopted Data Protection by Design Principles
    • Integrated with SOC compliant processes where applicable
  2. Gap Analysis Exercise (performed by independent GDPR experts)
    • Personal Data Impact Assessment & Remediation
    • 3rd Party Supplier review
  3. New Policies and Procedures developed:
    • Personal Data Inventory
    • New Policies (e.g. Data Breach Notification)
    • Legal review of contracts for GDPR clauses

Kimble and Salesforce approach to GDPR

Kimble is one of the largest Independent Software Vendors (ISV) on the Salesforce Platform. We have been working closely with Salesforce to ensure our product supports our customers’ GDPR requirements. Trust is the number one value for both Kimble and Salesforce with both companies being totally committed to the protection of our customers’ data.

Where can I find out more?

  • Information Commissioner’s Office (ICO)

  • Salesforce
  • GDPR Website

  • Trust and Compliance Documentation

  • Current Functionality Overview

  • Trailhead

Contacting Kimble

If you have any further questions, please contact Kimble using :-

Email : [email protected]