EU General Data Protection Regulation

Please can you advise your plans for compliance with GRPR by 25 May 2018, particularly article 28?

You process both staff and customer data on our behalf and we are required to ensure you are compliant and impose suitable contract clause.

We note that, if the contract is inadequate, or you do not behave like a processor, then you are liable in law as a controller.



  • No update in three weeks.  You really don't seem to understand what a big deal this legislation is in the UK and Europe. 

    A large part of my business is based on getting SME businesses to use Insightly and customise it to their needs.  If you fail to sort this out you will ruin my reputation and business.

    Please try harder to communicate what's going on.

  • We cannot move forward with Insightly with such laconic comments as "we will be compliant on the day the GDPR comes into effect" and neither visible progress since months nor clear communication about their step-by-step efforts towards GDPR compliance...

    Reading through this forum I can see many people talking about switching to another CRM provider.

    Have some of you (Paul Mac, Davd Stone, Geir Jåthun Hindenes, ...) already taken the plunge ? If not, what will make you decide to leave or not Insightly ? When will you make a decision ?

    Thanks Geir Jåthun Hindenes for suggesting HubSpot...



  • We have discussions with 5-6 other possible vendors, and are evaluating them on various areas where GDPR compliance is one. I would expect us to decide during the first half of April

  • Hi Support,

    Please is there any other update on the GDPR compliance? I understand that you are aiming to be compliant by May 25, 2018, but we need to look at the contract clauses in more detail much before that deadline.

    I would appreciate if you could provide more frequent updates on this.




  • We have been using Hubspot with one of our other companies and it is very good, not quite right for the company that has the Insightly licence. We have decided to go with Trello, which will take more effort to configure but has more functionality to map from contact to project and back again. We will be leaving Insightly in April.

  • Hi folks! Thank you for your patience. We understand GDPR is a hot topic. Quick update on our GDPR stance can be found here. Insighly remains committed towards full compliance by the deadline. 

  • @Dennis B. No mention of article 28, just a restatement of a very basic overview of the Regulation. This does not clarify your stance. As of 25 May, in the absence of a compliant contract, I consider you to be a data controller for the personal data you hold and subject to the full weight of the law and a fine of 4% of your global revenue. Or you are a processor and subject to 2%. I am not prepared to take the risk of being a controller with a supplier and not valid contract.

  • Hi @Davd Stone - hope this helps! 

  • @Jean-Claude Spelte

    We have taken advice from a legal perspective and after also speaking to our Government trainers on the GDPR, taken their advice.

    Therefore we have already exported our current data, and have imports now structured ready to change to several options should Insightly fail to achieve their promise, this is simply because we work with Governments across Europe, and know they will not be as understanding as us towards suppliers not being compliant in time, or not being open and transparent in progress, and as this could loose us valued contracts and opportunities, its been a necessity, a pain, and a lot of time taken as an admin working with the export structure, therefore would advise others to do a trial run, as you may need some time to structure your imports, to get correct links and mapping. 

    We asked for advice, so expect it is recorded Insightly is our crm and we asked what should we do in regards to this supplier in the chain, as the information being provided is not clear,  their advice, move away immediately on the date if not fully compliant or loose contracts, so its simple, and a few days lost in prep, but balanced against the cost of a fine or lost contracts ... worth it. !

    Plus finding their are some good options to switch to today, or even better we have found an option to create our own using 'Google App Maker', if you have a good techie not developer !!, they should be able to create something together that may match Insightly, I advise take a look, as its a game changer and will be a challenge for smaller CRM companies, very simple, easily constructed, links into gmail, google contacts, google calendar, Google SQL backend etc.... personally think its a great move forward for in house development if you use google g-suite and their cloud platform. No need for a full blown developer. I've already in 3 days, recreated Insightly for contact management, just working on the Opportunity and Project manager. Personally if I complete and import Direct from insightly, we will move to this... as no monthly fees and huge savings, plus freedom to make it fit perfectly what we require.

    If your technical, take a look, personally think its a game changer for the smaller businesses out there, with a decent admin/techie not full blown developer.... and its G-suite friendly and linked..... google have it in beta still, but you can get access if G-suite business users. Take a look, as you could take full control by creating your own crm, and make it fit your requirements 100% ...... or any compliance requested.

    As for the latest update with Insightly, Ive given up waiting for a response that means anything, just waiting to see if they can keep their promise, and Directors are aware also, with same response, if they are not we just move ... simple.



  • @Dennis B

    Sadly not. Article 28 includes a duty on the data controller to impose in legally binding contract certain conditions on the data processor. It also introduces duties on the data processor. Until I have sight of your proposed contract, I cannot be certain that I am carrying out my legal duties, including ensuring you are carrying out yours.

  • Can you confirm whether Insightly is GDPR compliant yet?

  • Hello Andy,

    I want to share a helpful link to bring clarity and assurance that Insightly is on track to be compliant by the 25, May 2018 deadline. 
    Please see the link below. The link is from our recent webinar where Anthony Smith, our founder, and CEO talked on GDPR.  
  • Hi there - this update from Anthony Smith didn't really help!

    Are you planning to introduce any fields where we can demonstrate consent? Are there already fields for contact preferences? I'm quite a new user and so perhaps I haven't see this functionality yet?

    Might you create a Subject Access Request report, so that we can easily provide that should we be asked?




  • Hi, it the webinar above wasn't helpful at all.  The Privacy Shield no longer has any legal affect after GDPR comes into force as other people have mentioned.  The single most important thing is that you update your contracts/terms so that they are in line with the EU's requirements for transferring data outside the EU.  You don't need to change your software to do this.


  • Hi - just noticed that the original post here was July 2017. I can't see any hard info that has been provided by Insightly since then???

    What are you guys doing?????


    I need two things:

    1) to be able to reassure my customers that you meet the GDPR requirements for data secruity etc as you are hosting the data outside of the EU (and not in a country that has designed 'adequacy').

    Please can someone tell me for sure that the EU-US Privacy Shield does not work for this? Everything I can find seems to suggest that it does??? Has there been an update to the Adequacy Decision back in 2016

    2) to be able to fulfill my customers rights relating to data transfer, data access, comms preferences.

    i can do most of these on my own without any need for skftware change, but i'm still not clear how i can mange communication preferences within Insightly, nor how i can easily create a report for a Subject Access Request. Most other CRM providers I know have worked to provide their users with functionality to make this easier.

    By 25th May, we need to have communicated our Privacy Policy (inc info on data transfer outside of the EU arrangements) to all of our customers/contacts. We also need to be able to fulfill our customer rights by then.

    Please be a bit more responsive on this. Is there an Insightly legal person that you could put on here for us to ask questions of???? 


    Thank you


  • Jennie - I'm not a lawyer, but I am a customer, and every single US company that supplies SaaS services to my EU based company is implementing the model contract clauses as recommended by the EU.  Except Insightly (although who knows, maybe they are going to surprise us all at the eleventh hour!)

  • I agree with @Adam Smith, I am more worried about articles 28 and 46. The security and consent-based rights are exercisable in the existing software, as @Jennie Moule notes. Compliance with PECR is an operational issue which Insightly can't impact.

    We are working on moving to Trello

  • Hi Folks! 

    I'm happy to share that we have a slew of updates regarding GDPR.

    • We now have an entire marketing page for GDPR (, 
    • We've updated our Privacy Policy and made some minor changes in product.
    • There is a contract called the Data Processing Addendum that you have to download, fill out, and send back to us. You can find this contract in the Privacy Policy.

    All GDPR info plus some new very helpful articles can be found HERE.

    Thank you and we appreciate everyone's patience on this.


  • Up until this situation happened we were happy, Insightly is an okay product, we didn’t however wish to risk a similar situation again, and such a lack of communication towards clients. So today completed a system transfer of all data to a new system, and feel much more comfortable that we wont be treated like this again

    Wish you the best insightly… and thank you for the push, it was not your application, it was your lack of clear communication.

  • Hi Paul Mac,

    Thank you for being an Insightly customer and we're sorry to see you go. We apologize if our updates weren't timely enough, but that was the best we could do at the time. Our Community team has given updates as we received them and we were able to be fully GDPR compliant 10 days before the deadline. 

  • Hi Dennis B,

    I note that you have provided a contract addendum to satisfy GDPR article 28 conditions. Since you cannot know whether a customer has listed people that bring your service within GDPR reach due to the geographical extension, I assume you have either signed addendum from every one of your customers, or a statement confirming they have not recorded data of any person protected by GDPR?

    Further, I note that the page with a list of sub-processors includes an option to sign-up for updates. Article 28(2) puts the onus on you to obtain permission for new/changed sub-processors. I suggest you remove the option to opt-out of these notifications if an addendum is signed.

    Where you do not have a signed addendum, you will either be in breach of article 28(10) as you are a controller, or article 28(3)(g) as you are processing outside of a binding contract.

    I also note that the role-based permissions function is not available in the free or basic subscriptions. Where you are bound by contract and a processor, you have a legal duty to support controllers to comply with article 32(4) (article 28(3)(f)). I assume you notify clients that they are unlikely to be compliant with GDPR without this functionality?

    I haven't been through your 'GDPR compliance' in any serious detail, but do me, you still seem quite a long way off.



    ps I know we are in breach by leaving our data on your system, so I am being slightly hypocritical!

Please sign in to leave a comment.