EU General Data Protection Regulation

Please can you advise your plans for compliance with GRPR by 25 May 2018, particularly article 28?

You process both staff and customer data on our behalf and we are required to ensure you are compliant and impose suitable contract clause.

We note that, if the contract is inadequate, or you do not behave like a processor, then you are liable in law as a controller.



  • Hi David,

    We currently participate in Privacy Shield and have SOC2 certification, will continue to be SOC2 and Privacy Shield compliant.  

  • Hi Dan,

    Thanks, but these won't make you legally compliant - the bit your are referring to is Chapter V: Transfers of personal data to third countries or international organisations, specifically article 45.

    Even if you were based in the UK (where I am based), when we enter in to a contract with a processor, processing personal data on our behalf, cloud-based or not, we are required by the law to obtain certain guarantees through a contract.

    Further, unless you actively prevent it, if one of your customers records, for example, religious beliefs, trades union membership, criminal convictions, or similar, you are processing special categories of data, which means are parts of the law start to apply, for example article 30 and article 35.

    As a processor, you have legal liable (under article 28) if you fail to behave like a processor, and in fact behave as a controller. It is therefore in your interest to ensure your customers remain controllers.

    Hence my question: what are you doing to ensure you are ready for GDPR?

  • Hi David,

    After speaking further with our Engineering team, I've been told that we will not be making any additional changes to satisfy the GDPR at this time.

  • Hi Dan,

    The changes would not be in the product, they would be in your contract terms and what information you provide to your customers about how you handle their data.

    As you are a data controller based outside the EEA, I assume you have an EEA-based representative?


  • Hi Dan,

    I should have asked - it could be that your decision is because you plan to withdraw from the European market due to the effort required for regulatory compliance. If so, please give us plenty of warning.

    Obviously, not complying with European law would exclude you from the market, or make you subject to regulatory action - fines up to 4% of your global revenue.



  • Hi David,

    Thanks for your patience!  I brought this thread to the attention of one of our Senior Engineers, and he said this:

    Insightly takes data security seriously and has taken stringent measures to ensure customer data is protected, secure and compliant. Insightly has been audited by an independent accounting firm, and we are SOC2 Type 1 compliant. Insightly also recently completed our SOC2 Type II audit. With our international customers in mind,Insightly has also taken measures to be Privacy Shield compliant.

    Regarding GDPR, Insightly is actively looking into the current regulations, and working towards being fully compliant by May 2018.

    So, it turns out the information I was provided earlier was a bit off the mark.  Sorry about that!  We'll be updating our documentation to show that we're compliant once we're fully compliant, but in the meantime rest assured that this is a goal that we intend to hit without issue. :)

  • Hi Dan,

    Thanks for this - we will wait to see what you come up with.

    In the meantime, for your European customers, it may be worth having some sort of notice to avoid hundreds of similar requests.



  • Hello,

    We are a belgian agency specializing in GDPR compliance.
    One of our customers uses your platform.

    Please keep us informed of the progress of your GDPR compliance.
    Note that if compliance is not reached before 01/01/2018, we will unfortunately be obliged to recommend to our client to change platform.


  • The responses above from Support on this showing a shocking ignorance of this essential compliance.  Seems to be that Insightly is completely US centric. The only official posting made by Insightly on this subject is simply "We are working towards compliance with the GDPR by its enforcement date of 25 May 2018".  That is very poor communication for such a major piece of compliance. Users should be told what the stages to implementation are and kept informed of progress.  I am sure that there are a lot if users in the EU that are less than confident in Insightly's commitment to their customers outside of the US.  I see companies like Egnyte who have whole web pages dedicated to GDPR and have written to all of their customers to advise that they are now compliant and to outline the changes they have made.  EU customers need proper assurance on this, if not, as others have suggested on here, they will look for a provider that has already made the changes or is visibly doing so.

  • Can we please get an update on this. Or i'm putting in place measures to move my 25 licence company to Salesforce the next 3 weeks. It is truly shocking that Insightly has such little knowledge of a mandatory compliance issue in the UK market.

  • Hi everyone:

    Insightly is aware of the update to GDPR & EUs regulations surrounding data privacy and are working towards being fully complaint before the enforced date of May 25, 2018. We'll be sure to keep you updated.

  • Currently sat on a course for this, and we need some clear definition please, that of an ETA on when you will be complient, else to be safe we will need to start looking at moving data.

  • Hi Paul,

    We will be fully compliant before the enforced deadline date of May, 25th 2018.

    We appreciate your patience in the meantime. 

  • Hi Ed, 

    Thanks for the update. Could you provide more information to how you will ensure full compliance? E.g for consent management we are currently evaluating whether we will need 3rd party solutions for this. Will consent management be built into the solution? 



  • Hi,

    "We will be fully compliant before the enforced deadline date of May, 25th 2018."

    I think that if you are working on being compliant you should be able to list the areas you are currently addressing. That should not be too difficult if you have a plan in place. If you do not have a plan it would be difficult to say anything.

    My understanding if consent management is that a processor must not necessarily include this in the offering. Should we interpret your lack of response to Geir's question as arrogance or that you have not started to look into this yet? If the latter is the case, how worried should we be about "We will be fully compliant before the enforced deadline date of May, 25th 2018."?



  • Hey Ola and Geir,

    At this time, we have no further update in regards to this other than the aforementioned notice. We have spoken with our product and development team and have confirmed we will be compliant by the May 25th date. 

  • Hi, 

    Unfortunately, the inability to communicate your plans on how compliance will be achieved makes us very uncertain on moving forward with Insightly. For inspiration, this is how one of your competitors communicates around their GDPR efforts:


  • Hi Geir,

    Thank you for providing us with your feedback.

    I'll be forwarding this over to management for them to further review.

    We appreciate your patience and understanding while we work on becoming GDPR compliant.

    Please let me know if you have any other questions.

  • I have one or two areas of interest at the moment with the GDPR , that you will be covering in your devlopment, and might allow you to give some confidence, could I have some definition that the below will be possible please,

    GDPR states - Data Portability - The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

    Will you be creating a specific method to be able to achieve this across all areas Orgs, People, Opportunities Projects etc, beyond exporting against a filter ? 

    Marketing via Email.


    Will you be building in any processes to simplify Email's requiring a double Opt-In process for gaining permission? to market email ?

    Data Removal after a set period

    Will you be creating a method of alert or automation to remove a persons information after a set period of time ?

    Data Removal after a set period online instances of CRM hosted by a 3rd party

    Will you be building in a process for us to be able to remove records that are greater than N years old, from ALL backups and archiving taken including Insighlty's (Yours), as I expect you also backup systems that may contain our records.


    * Insightly Team, we as a EU customer  have justified concerns as this ICO is self funded, so even if smaller companies feel its not as important, when they start the audits of the supply chains of larger companies and government suppliers, of which they will be undoubtedly aggressive both on audits, and fines, most will start to learn the importance the hard way.

    Larger companies will fight them and have the resources to do so, so they will target the smaller companies less likely to afford a substantial fight in the courts... so please show a little more respect and pro-active support, and at least a page to show your progress, like most other online CRM suppliers are now producing.

    Is this not a great opportunity for a forward thinking company delivering CRM to step up and lead the competition in automating the requirements ?

    Right now responding with  "It will be ready"  does not  show forward thinking, will it be support sheets how to achieve GDPR requirements ?, rather than a CRM that does the work for you with automation, I hope I'm investing in a forward thinking company ? 

    I look forward to your responses for the 4 questions above please.





  • What would be great is a 'one click disclose' which sends an automated email to the contact's address with a summary of information held against them.

  • Hi Paul,

    Insightly is aware of the new GDPR, EUs regulation around data privacy. While I'm not involved directly in the process that our Engineering team is going through to give you a step by step of what we are doing, we will be fully compliant before the enforced date of May 25, 2018.

    Our article Data security explains more about this.

  • I note I started this thread on 23 July 2017.

    In view of this last post, we are now forced to move away from Insightly. If your understanding of your duties under GDPR is limited to data security (article 32) and totally fails to recognise the full range of duties under article 28, only 3 months from enforcement, you have no hope of being compliant by 25th May.

    We can no longer wait for you to act and will now be moving to a competitor.

  • ps. The global reach of GDPR is such that your behaviour threatens the business of all of your customers. Made in California is fine, but that will have to be your limit too.

  • Ev.M

    That is not an answer to my direct questions in any form, 

    We will be looking to leaving too if this continues, the lack of information given on this is too little, for something very important, it appears you want us to wait until the eleventh hour

    You have been asked specific questions, but no effort to answer any of them, just a link ... that's not support, some would think quick tickets....  very disappointing. 

    Last attempt will be to just email maybe he can give more assurance than you are, and you are talking about your entire EU customer base being effected, more effort please in your response, more detail too.

  • Hi - 

    Insightly it would be useful if you could at least comment on the scope of what you are doing?  Are you relocating to the EU or relying on adequacy?   Are you updating your terms and conditions?  Are you implementing data portability export functions?



  • As @Adam smith says, noting that you are a data processor and are bound by article 28 conditions, or you consider yourselves data controllers, which would be a very interesting position for you to take. In the event you are not article 28 compliant by 25 May, you understand the risk to your business??

  • Dear Insightly members, I strongly second the worries expressed by others about the way in which Insightly seems to be (not) working on a feasible track towards timely compliance with GDPR regulation. Is the European market such a small percentage of your global revenues that Insightly is comfortable with basically forcing your European customers to switch to another provider? If not, I strongly suggest that you send thorough en specific communications on GDPR compliance ASAP to all European customers!

  • Folks! We understand the concern regarding this issue. While we can't provide specifics at this time, our Engineering and Development teams are well aware of the deadline and are working towards compliance with GDPR regulation. 

    Without sounding like a broken record, I want to reiterate that we will be compliant on the day the GDPR comes into effect. That is really the most we can say at this point. As soon as we get any new information, I will be sure to share that with everyone in this thread.

    We truly appreciate your patience and understanding.


  • Dennis, I am really surprised on how you keep on answering the very specific questions asked by Paul, David and Adam in a way that provides absolutely no value to us as a customer. We work with lots of software development projects ourselves, and with that background, it is difficult to understand why you don't share your product backlog items that are planned in order to be compliant?

    When I look at your release history with new updates about every second month, it should be very clear to you what you are working with for the next release that must be deployed before May 25.?

    When you don't share anything specific, but keep telling us to "trust us, we know what we are doing" it really undermines my trust in Insightly in this regard. We are actively looking at other possible solutions for our sales staff of about 30 people as it is currently less than 100 days until the deadline. 



  • Dennis.  We have to know well in advance.  By May 25th, we have to have already issued updated customer information.  Can you at least confirm the terms and conditions of service are being appropriately updated by your legal team?

Please sign in to leave a comment.