What is GDPR?
In 2012, the European Commission began a process to reform Europe’s existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. The General Data Protection Regulation (GDPR) was agreed and adopted in 2016 and came into effect on 25 May 2018.
GDPR aims to make data protection regulations:
- more relevant: Updating the European Union (EU) data protection standards to make them more suitable for today’s world
- more comprehensive: Remedying some of the perceived deficiencies of the current Data Protection Directive
- more unified: Achieving a better, more harmonised standard of data protection throughout the EU.
What GDPR has changed
GDPR meant significant change, but was a great opportunity for companies to take stock of their data processing activities and make sure they were protecting customer data appropriately.
While many organisations were already doing the right thing when it came to personal data, GDPR required organisations to document and be able to show how they comply with data protection requirements. This meant additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduced new data protection rights for individuals. This included the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start of (and throughout) the systems and product design process.
How GDPR impacts your business
GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR affects your business and what you can do to make sure you stay compliant.
What Xero has done to prepare for GDPR
We take our responsibilities under GDPR seriously. When the regulation was first introduced, we embarked on a programme to identify which measures we needed to implement for GDPR compliance. Here’s a summary of some of the key things we did:
Data maps: We created comprehensive data maps that track personal data flows throughout our systems and services
Data processing records: We produced GDPR-compliant data processing records
Vendors: We put GDPR-compliant terms in place with our vendors
Data subject rights: We put processes in place for dealing with key data subject rights
Data processing addendum (DPA): We produced a GDPR-compliant DPA (see the FAQs below for more information)
Privacy notice: We updated our privacy notice to be GDPR-compliant as well as to be clearer, more concise and more transparent about how we process personal data
Data breach notification: We updated our incident response procedures to bring them in line with GDPR
Data protection training: We implemented a company-wide data protection training module for all Xero personnel
Data protection impact assessment (DPIA): We implemented a DPIA procedure and integrated that into our system and product development
“We see GDPR as a positive step forward for data protection that organisations should embrace. It’s a great opportunity to look under the hood and ensure data protection practices are where they need to be.”
– Gary Turner, former Managing Director, Xero UK & EMEA
GDPR has arrived and it’s here to stay. We worked hard to make sure we were ready (and yes, we were) but the hard work didn’t stop there; it was just the beginning. At Xero, we’re always looking for ways to improve, and we’ll continue to embed data protection into our systems and processes.
Where does Xero store customer data?
Similar to many software-as-a-service providers, we use Amazon Web Services (AWS), a top-tier, third-party data hosting provider with servers located in the US to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.
Will Xero be storing EU customer data in the EU?
Xero has no short-term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
Xero makes sure it complies with EU data export restrictions when it exports data outside of the EU, and planned a full audit prior to May 2018 on the data export mechanisms it had in place to ensure they comply, and would continue to comply, with GDPR.
How does Xero comply with EU data export restrictions?
When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.
First, some of our EU customers’ data is processed in New Zealand (where our headquarters are located). New Zealand is recognised by the EU as an ‘adequate’ country (that is, a safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.
When we process EU customer data in other territories, like the United States of America or Australia, we ensure the ‘appropriate safeguards’ that are prescribed by GDPR are in place, that is, by entering into the European Commission’s standard contractual clauses with the entity the data is transferred to.
What security measures do you have in place to protect data?
Protecting our customers’ data is fundamental to everything we do. To better understand our security practices, you can refer to our security pages:
Xero has also completed a SOC 2 Type 2 report. The report covers the trust services principles and criteria for security, availability, and confidentiality. SOC 2 audits are carried out by Ernst and Young, so it’s an independent assessment of Xero’s control environment against an internationally recognised assurance standard. You can request a copy of Xero’s SOC 2 report at https://www.xero.com/about/security/soc-report.
Do you have a GDPR-compliant data processing agreement/addendum for us to sign?
Who are Xero’s subprocessors?
What does the recent European Court of Justice ruling about the Privacy Shield mean?
On 16 July 2020, the Court of Justice of the European Union (CJEU) determined that the EU-US Privacy Scheme was invalid. The Privacy Shield had previously been held to be an adequate method to lawfully transfer personal data from the EU to the US. See further information on the Privacy Shield and its operation here. This decision has potentially wide-ranging impacts on organisations and data protection authorities, and we expect to see further guidance and advice on the impact of this decision within the coming weeks and months. Xero is taking time to consider the impact of the decision on its operations.
Our current list of Xero subprocessors is available. Xero does not rely on the Privacy Shield to transfer data to these subprocessors, so these transfers are not affected by this decision. Xero will continue to update its GDPR FAQs as we work through the impact of this decision, so please continue to check this page for updates.
Regardless of this decision, all data transfer by Xero (whether to a third party or otherwise) is done in accordance with Xero’s security controls. For further information about Xero’s approach to security, please visit https://www.xero.com/security/data-protection.