KnowledgeOwl and the GDPR

KnowledgeOwl is fully GDPR compliant as of May 25, 2018.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU privacy law that went into effect on May 25, 2018. It regulates how businesses treat and use the personal data of EU citizens.

How does the GDPR affect KnowledgeOwl?

If your business collects, records, stores, or otherwise interacts with the personal data of EU citizens, then the GDPR likely applies to you. The GDPR applies to KnowledgeOwl because we both collect and process the data of EU citizens in our business. It also affects our clients who either reside in the EU or collect, store, or otherwise process the data of EU citizens.

What is KnowledgeOwl doing to prepare?

For your review, we've outlined how the GDPR applies to KnowledgeOwl and how we achieved compliance.

Personal data

KnowledgeOwl does process the personal data of EU citizens. While we do not collect sensitive data from our customers, our customers may be storing sensitive personal data in their own KnowledgeOwl accounts. This might include the personal data of children.

March 27, 2018: We are currently reviewing our terms and conditions along with other policies with regards to data processing.  Updates may be made in regards to what type of data we allow to be stored in KnowledgeOwl, specifically sensitive personal data.

May 24, 2018: Our Data Processing Addendum extends our terms and condition to provide full GDPR compliance for our customers in the EU or processing EU personal data. You can review and sign our DPA online.

Scope of application

While we are located outside the EU, we do collect data from our customers that reside in the EU. We also work with vendors in the EU and have customers who both reside in and collect data from EU citizens as well.

In terms of the GDPR, KnowledgeOwl acts as both a controller and processor. 

March 27, 2018:  We are working on putting in place a data processing agreement for customers requiring one under the new law. 

May 23, 2018: We have published our Data Processing Addendum. You can review and sign our DPA online.

Lawful grounds for processing and transparency requirements

KnowledgeOwl does not currently obtain explicit consent for personal data collection outside of our terms and conditions.

March 27, 2018:  KnowledgeOwl will begin obtaining consent from our customers and website visitors to process their personal data. In the spirit of transparency, people will be informed about what information is being collected and why. Consent can be withdrawn at any time.

May 23, 2018: We have published our Cookie Declaration page and are collecting explicit consent for personal data collection.

Data protection principles and accountability

To protect both our and our customers' data, we have appropriate security measures and policies in place. We are actively working towards compliance with GDPR data protection policies.

March 27, 2018:  We are updating our data protection policy to align and comply with the GDPR. Once updated, we will be instituting training to ensure all team members are aware of and equipped to uphold the policy.

May 24, 2018: We have updated our data protection policy, communicated it to all team members, and instituted a mandatory data protection training.

Data subject rights

We currently do not have a mechanism for customers to be informed of their rights as data subjects.

March 27, 2018:  Once we have the appropriate mechanisms in place, we will be communicating data subject rights to customers.  

May 24, 2018: We've updated our privacy policy in compliance with the GDPR and Privacy Shield principles.

Data breaches

KnowledgeOwl currently has processes in place to detect, document, and communicate any data breaches. 

March 27, 2018:  We are reviewing our incident response plan in order to ensure compliance with the GDPR.

May 24, 2018: We have updated our data breach response policy to ensure compliance with the GDPR.

International data transfers outside the EEA

KnowledgeOwl does transfer data outside the European Economic Area (EEA).

March 27, 2018:  KnowledgeOwl is working towards certifying its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework.

May 23, 2018: We received notification that our Privacy Shield self-certification submission is completed and we are now just waiting on confirmation that we have been officially added to the Privacy Shield list. Privacy Shield benefits are assured from the date we are placed on the list.

June 6, 2018: Our Privacy Shield self-certification has been finalized and is effective as of 6/6/2018. You can now find us on the participant list on the Privacy Shield website.

Other controller obligations

As a data controller, we are currently reviewing all of our obligations under the GDPR and working towards compliance.

March 27, 2018:  We are working on documenting policies and procedures for all aspects of the GDPR. This includes recording legal grounds for processing any and all personal data, integrating compliance into processing activities, training employees, and reviewing processor contracts.

May 24, 2018: We have performed a GDPR audit and recorded legal grounds for processing personal data, updated our website and application to integrate GDPR compliance, trained our team, and signed DPA with our core sub-processors to whom we transfer personal data. We have added GDPR-compliance as a requirement for all vendors who process personal data on our behalf.

Other processor obligations 

KnowledgeOwl acts as a data processor for our customers who collect and store the personal data of EU citizens. As such, we are also working on ensuring our compliance as a data processor. We are working to be able to assist our customers in ensuring their own compliance under the GDPR.

March 27, 2018: We are working on implementing a data processing agreement for those customers to whom the GDPR applies. This includes stipulating terms for data processing and recording legal grounds for the data collection.

May 23, 2018: We have published our Data Processing Addendum. You can review and sign our DPA online.