What is GDPR?
In 2012, the European Commission began a process to reform Europe’s existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. The General Data Protection Regulation (GDPR) was agreed and adopted in 2016 and came into effect on 25 May 2018.
GDPR aims to make data protection regulations:
- more relevant: Updating the European Union (EU) data protection standards to make them more suitable for today’s world
- more comprehensive: Remedying some of the perceived deficiencies of the current Data Protection Directive
- more unified: Achieving a better, more harmonised standard of data protection throughout the EU.
What GDPR has changed
GDPR meant significant change, but was a great opportunity for companies to take stock of their data processing activities and make sure they were protecting customer data appropriately.
While many organisations were already doing the right thing when it came to personal data, GDPR required organisations to document and be able to show how they comply with data protection requirements. This meant additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduced new data protection rights for individuals. This included the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start of (and throughout) the systems and product design process.
How GDPR impacts your business
GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR affects your business and what you can do to make sure you stay compliant.
What Xero has done to prepare for GDPR
We take our responsibilities under GDPR seriously. When the regulation was first introduced, we embarked on a programme to identify which measures we needed to implement for GDPR compliance. Here’s a summary of some of the key things we did:
Data maps: We created comprehensive data maps that track personal data flows throughout our systems and services
Data processing records: We produced GDPR-compliant data processing records
Vendors: We put GDPR-compliant terms in place with our vendors
Data subject rights: We put processes in place for dealing with key data subject rights
Data processing addendum (DPA): We produced a GDPR-compliant DPA (see the FAQs below for more information)
Privacy notice: We updated our privacy notice to be GDPR-compliant as well as to be clearer, more concise and more transparent about how we process personal data
Data breach notification: We updated our incident response procedures to bring them in line with GDPR
Data protection training: We implemented a company-wide data protection training module for all Xero personnel
Data protection impact assessment (DPIA): We implemented a DPIA procedure and integrated that into our system and product development
“We see GDPR as a positive step forward for data protection that organisations should embrace. It’s a great opportunity to look under the hood and ensure data protection practices are where they need to be.”
– Gary Turner, former Managing Director, Xero UK & EMEA
GDPR has arrived and it’s here to stay. We worked hard to make sure we were ready (and yes, we were) but the hard work didn’t stop there; it was just the beginning. At Xero, we’re always looking for ways to improve, and we’ll continue to embed data protection into our systems and processes.
Where does Xero store customer data?
Similar to many software-as-a-service providers, we use Amazon Web Services (AWS), a top-tier, third-party data hosting provider with servers located in the US to host our online and mobile services.
Will Xero be storing EU customer data in the EU?
Xero has no short-term plans to store data in the EU, and this isn’t required under GDPR.
GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU, and Xero makes sure it complies with EU data export restrictions when it exports data outside of the EU,
How does Xero comply with EU data export restrictions?
When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.
First, some of our EU customers’ data is processed in New Zealand (where our headquarters are located). New Zealand is recognised by the EU as an ‘adequate’ country (that is, a safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.
When we process EU customer data in other territories, like the United States of America or Australia, we ensure the ‘appropriate safeguards’ that are prescribed by GDPR are in place, that is, by entering into the European Commission’s standard contractual clauses with the entity the data is transferred to.
What security measures do you have in place to protect data?
Protecting our customers’ data is fundamental to everything we do. To better understand our security practices, you can refer to our security pages:
Xero has also completed a SOC 2 Type 2 report. The report covers the trust services principles and criteria for security, availability, and confidentiality. SOC 2 audits are carried out by Ernst and Young, so it’s an independent assessment of Xero’s control environment against an internationally recognised assurance standard.
Do you have a GDPR-compliant data processing agreement/addendum for us to sign?
Who are Xero’s subprocessors?
What does the European Court of Justice ruling about the Privacy Shield mean?
On 16 July 2020, the Court of Justice of the European Union (CJEU) determined that the EU-US Privacy Scheme was invalid. The Privacy Shield had previously been held to be an adequate method to lawfully transfer personal data from the EU to the US.
Xero does not rely on the Privacy Shield to transfer data to these subprocessors, so these transfers are not affected by this decision.
Regardless of this decision, all data transfer by Xero (whether to a third party or otherwise) is done in accordance with Xero’s security controls.