GDPR centre

GDPR has arrived. Here we’ve shared some information on what it is, how it affects you and what Xero has done to get prepared. 

What is GDPR?

In 2012, the European Commission began a process to reform Europe's existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and came into effect on 25 May 2018. 

GDPR aims to make data protection regulations:


More relevant

Updating EU data protection standards to make them more suitable for today’s world


More comprehensive

Remedying some of the perceived deficiencies of the current Data Protection Directive


More unified

Achieving a better, more harmonised standard of data protection throughout the EU

What does GDPR change?

GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.

demonstrable compliance
Demonstrable compliance

While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.

enhanced rights
Enhanced rights

On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.

privacy by design
Privacy by design

Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.

How will GDPR impact your business?

GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR affects your business and what you can do to make sure you stay compliant.

Read guide

What has Xero done to get prepared for GDPR?

We take our responsibilities under GDPR seriously. Many months ago we embarked on a programme to identify which measures we needed to implement for GDPR compliance. Here is a summary of the some of the key things we’ve done

  • Data Maps – We’ve created comprehensive data maps that track personal data flows throughout our systems and services

  • Data Processing Records – We’ve produced GDPR compliant data processing records
  • Vendors – We’ve put GDPR compliant terms in place with our vendors
  • Data Subject Rights – We’ve put processes in place for dealing with key data subject rights
  • Data Processing Addendum – We’ve produced a GDPR compliant DPA (for more information see the FAQs below)
  • Privacy Notice – We’ve updated our privacy notice to be GDPR compliant as well as more clear, concise and transparent about how we process personal data
  • Data Breach Notification – We’ve updated our incident response procedures to bring them into line with GDPR
  • Data Protection Training – We’ve implemented a company-wide data protection training module for all Xero personnel
  • Data Protection Impact Assessment – We’ve implemented a DPIA procedure and integrated that into our system and product development


“We see GDPR as a positive step forward for data protection that organisations should embrace. It's a great opportunity to look under the hood and ensure data protection practices are where they need to be.”

- Gary Turner, Managing Director, Xero UK & EMEA

What’s next

GDPR has arrived and it’s here to stay. We’ve been working hard to make sure we’re ready (and yes, we’re ready) but the hard work doesn’t stop here. This is just the beginning! At Xero, we are always looking for ways to improve, and will continue to embed data protection into our systems and processes well past 25 May.