Brought to you by

5 things you need to know about GDPR

Posted 4 months ago in Advisors by Damon Anderson
Posted by Damon Anderson

No doubt you’ve heard a lot recently about the EU’s General Data Protection Regulation (GDPR). It’s an important piece of legislation, yet some organisations are underprepared. With less than three months until the deadline for compliance on 25th May, here’s what you need to know.

1. Understand the spirit of GDPR

You don’t need to wade through pages and pages of legal text. Put simply, the regulation is designed to put personal data back in the hands of the individual who owns it and ensure organisations are transparent about how they handle personal data.

2. Take a good look at how you handle personal data

Make sure your practices are in line with GDPR. Only collect personal data that you need and only store it for as long as you need it.

3. Check your data storage systems are secure

Don’t store personal data unencrypted on a USB stick, for example, or leave it on an unsecured web server. Data breaches can lead to big fines under the regulation, so keep it secure, encrypted and safe from prying eyes.

4. Make someone in your organisation ultimately responsible for data protection

This person should be properly trained and briefed on their obligations. Depending on the nature of your organisation, this person could be your Data Protection Officer (if you’re required to appoint one), Chief Data Officer, or Privacy Counsel.

5. Treat personal data with care and respect

This is the simplest part of the whole thing. Treat the personal data you collect the same way you expect your personal data to be treated.

If you’ve already started thinking about GDPR and have good practices in place, none of this should be a huge problem. If not, don’t panic, but make sure you take action now to get your house in order. Even though it might seem scary at first, GDPR is a step in the right direction for data protection and should be welcomed.

Head over to our GDPR centre for more information on GDPR and what Xero is doing to get prepared. If you’re a small business or an advisor to one, you can also check out our GDPR guide.



customer service essay
March 19, 2018 at 4.19 pm

While compliance with GDPR regulations will be no small task for most enterprises, the use of automation makes the task more manageable. Though not every organization is as proactive as they should be, there is still time for those companies to prepare for the GDPR regulations and avoid the imposition of fines. Enterprises that have been more proactive in automating their IG strategies are in a better position to comply with the GDPR than others. Companies most likely to avoid fines are those with a DPO in place, who can document the automated steps taken to provide the required protections to personal sensitive data. Similarly, corporations with established IT security protocols and passed audits will have an easier path toward GDPR compliance.

Rainer Eck
April 2, 2018 at 9.04 pm

thank you for this great impact, very informative and straight forward! Helped a lot to build our goals.

Steve S
May 29, 2018 at 6.47 am

It should also be mentioned that organisations need to be able to prove someone consented to receiving emails. Part of this evidence might come from the mailing service (e.g. Aweber) they use to manage the list. The other part involves documentary evidence of what the form looked like when the person opted in, i.e. what they actually agreed to receive. That means either manually recording forms by taking dated screenshots etc. and ensuring you can link it back to each lead coming through, or using a service like optinopoli that records the form used by each lead for you.

June 20, 2018 at 6.03 am

I have a question. if I am a controller and I am working with a processor who is a huge corporation and they seem to not be compliant with the GDPR. What are my options when negotiating the Data protection agreement??

Leave a reply

Your email address will not be published. Required fields are marked *