GDPR Centre

With the GDPR deadline fast approaching, here we’ve shared some information on what it is, how it will affect you and what Xero is doing to get ready.

What is GDPR?

In 2012, the European Commission began a process to reform Europe's existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and will take effect on 25 May 2018.

GDPR aims to make data protection regulations:


More relevant

Updating EU data protection standards to make them more suitable for today’s world


More comprehensive

Remedying some of the perceived deficiencies of the current Data Protection Directive


More unified

Achieving a better, more harmonised standard of data protection throughout the EU

What does GDPR change?

GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.

demonstrable compliance
Demonstrable compliance

While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.

enhanced rights
Enhanced rights

On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.

privacy by design
Privacy by design

Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.

How will GDPR impact your business?

GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR will affect your business and what you can do to get prepared.

Read guide

What is Xero doing about GDPR?

We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them in time for May this year. Here is a quick summary of what we’ve done to date:

  • We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018
  • We have started our internal education program to deliver GDPR-focused training across key areas of the business, so that they’re aware of what GDPR requires and how it impacts their day-to-day roles
  • We’re engaging with product and security teams to consider and make the necessary changes/improvements to our product
  • We conducted a comprehensive data-mapping exercise that tracks personal data flows throughout our systems and services. We are in the process of finalising the data maps
  • We're reviewing our key third-party vendor arrangements to make sure we have the appropriate contractual protections in place to satisfy GDPR requirements
  • We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion

“We see GDPR as a positive step forward for data protection that organisations should embrace. It's a great opportunity to look under the hood and ensure data protection practices are where they need to be.”

- Gary Turner, Managing Director, Xero UK & EMEA

What’s next

Some of the key items we will be working on over the coming months are:

  • Updating our external-facing policies to be GDPR compliant and publishing those updated policies ahead of the GDPR effective date
  • Developing a GDPR-compliant data retention policy 
  • Updating our data breach procedures to bring them in line with GDPR
  • Developing and implementing company-wide data protection training 
  • Finalising our data maps and data-processing records
  • Integrating privacy by design into system and product development, including through the creation and implementation of data protection impact assessments