What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
How will GDPR impact your business?
GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR affects your business and what you can do to make sure you stay compliant.Read guide
What has Xero done to get prepared for GDPR?
We take our responsibilities under GDPR seriously. Many months ago we embarked on a programme to identify which measures we needed to implement for GDPR compliance. Here is a summary of the some of the key things we’ve done
Data Maps – We’ve created comprehensive data maps that track personal data flows throughout our systems and services
- Data Processing Records – We’ve produced GDPR compliant data processing records
- Vendors – We’ve put GDPR compliant terms in place with our vendors
- Data Subject Rights – We’ve put processes in place for dealing with key data subject rights
- Data Processing Addendum – We’ve produced a GDPR compliant DPA (for more information see the FAQs below)
- Privacy Notice – We’ve updated our privacy notice to be GDPR compliant as well as more clear, concise and transparent about how we process personal data
- Data Breach Notification – We’ve updated our incident response procedures to bring them into line with GDPR
- Data Protection Training – We’ve implemented a company-wide data protection training module for all Xero personnel
- Data Protection Impact Assessment – We’ve implemented a DPIA procedure and integrated that into our system and product development
GDPR has arrived and it’s here to stay. We’ve been working hard to make sure we’re ready (and yes, we’re ready) but the hard work doesn’t stop here. This is just the beginning! At Xero, we are always looking for ways to improve, and will continue to embed data protection into our systems and processes well past 25 May.
Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.
Xero has no short term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
Xero makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place to ensure they comply, and will continue to comply, with GDPR.
When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.
First, some of our EU customers' data is processed in New Zealand (where our Headquarters are located). New Zealand is recognised by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.
When we process EU customer data in other territories, like the United States of America or Australia, we ensure "appropriate safeguards" are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
Xero is a New Zealand-headquartered company, with offices all over the globe – we are not a US-headquartered company. Privacy Shield is only one of a few available mechanisms to transfer data outside of the EU, and certification against the Privacy Shield is not a legal requirement. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.
Protecting our customers' data is fundamental to everything we do. To better understand our security practices, you can refer to our Security Pages:
Xero has also completed a SOC 2 Type 2 report. The report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. SOC 2 audits are carried out by Ernst and Young, so it's an independent assessment of Xero's control environment against an internationally recognised assurance standard. You can request a copy of Xero’s SOC 2 report at https://www.xero.com/about/security/soc-report/.