What does GDPR change?
GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.
While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.
On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.
Privacy by design
Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.
How will GDPR impact your business?
GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR will affect your business and what you can do to get prepared.Read guide
What is Xero doing about GDPR?
We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them in time for May this year. Here is a quick summary of what we’ve done to date:
- We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018
- We have started our internal education program to deliver GDPR-focused training across key areas of the business, so that they’re aware of what GDPR requires and how it impacts their day-to-day roles
- We’re engaging with product and security teams to consider and make the necessary changes/improvements to our product
- We conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services. We are in the process of finalising the data maps
- We're reviewing our key third-party vendor arrangements to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements
- We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion
Some of the key items we will be working on over the coming months are:
- Updating our external-facing policies to be GDPR compliant and publishing those updated policies ahead of the GDPR effective date
- Developing a GDPR-compliant data retention policy
- Updating our data breach procedures to bring them in line with GDPR
- Developing and implementing company-wide data protection training
- Finalising our data maps and data-processing records
- Integrating privacy by design into system and product development, including through the creation and implementation of data protection impact assessments
Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.
Xero has no short term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
Xero makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place to ensure they comply, and will continue to comply, with GDPR.
When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.
First, some of our EU customers' data is processed in New Zealand (where our Headquarters are located). New Zealand is recognised by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.
When we process EU customer data in other territories, like the United States of America or Australia, we ensure "appropriate safeguards" are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).
Xero is a New Zealand-headquartered company, with offices all over the globe – we are not a US-headquartered company. Privacy Shield is only one of a few available mechanisms to transfer data outside of the EU, and certification against the Privacy Shield is not a legal requirement. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.
Protecting our customers' data is fundamental to everything we do. To better understand our security practices, you can refer to our Security Pages:
Xero has also completed a SOC 2 Type 2 report. The report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. SOC 2 audits are carried out by Ernst and Young, so it's an independent assessment of Xero's control environment against an internationally recognised assurance standard. You can request a copy of Xero’s SOC 2 report at https://www.xero.com/about/security/soc-report/.