The General Data Protection Regulation (GDPR) is almost upon us. The 25th May 2018 deadline for businesses to meet their data compliance obligations is just a couple of weeks away and we’ve been working hard to make sure we’re compliant with the new data protection rules.
We know that GDPR is a big deal for our customers too, and we're committed to supporting you with your own GDPR requirements within FreeAgent. While data security has always been a top priority for us, we’ve made some updates in our software so you have the tools you need to handle your contacts’ data in a compliant manner.
Before we go into that however, let’s take a quick look at how data is structured under GDPR in FreeAgent.
As the UK’s supervisory authority, the Information Commissioner’s Office (ICO) ensures that everyone is playing by the rules and that the rights of data subjects - the people whose data is being processed - are correctly protected.
Data controllers determine the purposes and means of processing personal data. A data processor is responsible for processing data on behalf of the data controller.
As we act as a data processor for our customers, we are committed to ensuring that you are able to meet your own obligations as a data controller.
What are the specific duties of a data controller?
As a data controller , you need to be able to respond to data requests from your contacts (the data subjects ) in FreeAgent.
As far as the data in FreeAgent is concerned, this includes:
- Keeping data secure
- Keeping information accurate and up to date
- Providing a copy of all data you hold on an individual if requested
- Deleting all data you hold on an individual (where possible)
Keeping data secure
We are constantly improving our security measures to keep the information we hold within FreeAgent safe and whenever we work with third parties (subprocessors) to help us provide our service, we ensure that their security processes are as robust as our own.
Recently, we added new security measures such as active sessions and login attempts so you can see if there has been any unauthorised activity on your account. Our password security calculator will help you set a really strong password and we also recommend you use the 2-Step Verification feature to make your account extra secure. If you’re worried about anyone at FreeAgent being able to see what’s going on in your account, you don’t need to be. You are the king or queen of your own castle when it comes to your account and no-one at FreeAgent can see your data unless you give them access.
Keeping data accurate and up to date
FreeAgent makes it easy for you to maintain an accurate and up-to-date record of your contact’s details. When you update a contact’s information on their contact card FreeAgent automatically pulls the latest information through to any new invoices or emails. This only applies to newly created documents, however; any historic invoices or emails stored in FreeAgent will still contain the information that was correct at the time you created them. This is because HMRC says that you need to keep full copies of your historic information.
Providing a copy of an individual’s data
Using the Export All Data feature on FreeAgent makes it easy to create a copy of all the data you hold on a contact. This feature exports all your data from your FreeAgent account and by 25th May will also export all your files and attachments so you can locate the relevant information.
Deleting a contact’s data
If one of your contacts asks for their information to be permanently removed from your records, they have the right to have their data deleted as fully as possible. Under GDPR this is the responsibility of the data controller , so if one of your contacts asks FreeAgent to do this, we have to refer them back to you. Your legal obligations to HMRC come before an individual’s right to be forgotten under GDPR, and we’ve built safeguards into our software to make sure you balance both of these requirements.
Once you've created a transaction (i.e. an invoice, estimate, bill, project or timeslip) for a contact, you will be able to delete that contact once you’ve deleted all the transactions relating to them in FreeAgent. Once you have done this, you will see the option to ‘delete’ in that contact’s details screen.
However, because HMRC requires self-employed professionals to keep a copy of their records for at least five or six years after the relevant self assessment submission date, and limited companies to keep a copy of their records for at least six years after their accounting year end, you should not delete a contact from FreeAgent with transactions that fall within these periods.
In addition, FreeAgent doesn’t allow you to delete transactions that are dated within a locked period or those that are attached to a filed VAT return, which means that you won’t be able to delete any contacts with transactions that fall into either of these categories. In this way, FreeAgent helps you to ensure that you are not deleting any information that you are required to keep for HMRC.
Please be aware that deleting transactions linked to a contact will have an effect on your accounts and once you’ve deleted any information in FreeAgent it can’t be restored. If you're unsure whether or not to delete any data in FreeAgent then please do check with your accountant.
To find out more about FreeAgent and GDPR, you can read our GDPR statement.
Richard Grey is a Certified Information Systems Security Professional with over 15 years' experience managing personal data across various software solution providers. He is Head of Information Security at FreeAgent.