FreeAgent and GDPR Compliance
Version 3.8: This statement was produced on 25th October 2017. It may be updated in the future and we'll post the new version here on our website.
May the Enforcement be with you
25th May 2018 is looming large on the calendar, marking an important event in time ... the new Star Wars movie about Han Solo, Solo: A Star Wars Story, is released! However, you may also have heard that new European Union data processing laws - known as the EU General Data Protection Regulation (GDPR) - will come into force on this date.
GDPR will impose strict controls on how all organisations collect and process personal data within the EU and/or personal data of EU citizens. Whatever happens with the UK’s Brexit timetable, the UK is expected to enforce the full range of GDPR requirements.
The regulation outlines six key principles for organisations that process individuals’ personal information. These are that data shall be:
- processed lawfully, fairly and transparently
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary for processing
- accurate and kept up to date
- retained only for as long as necessary
- processed in an appropriate manner to maintain security
What is FreeAgent doing to prepare for GDPR?
We’re constantly improving the technical and organisational security measures we have in place to protect your data and are working hard to ensure we’ll be fully compliant with GDPR when it comes into force. The work we are doing will also help you with your own compliance obligations regarding any customer data held within FreeAgent.
Under the terms of GDPR, FreeAgent will only ever collect, store and process personal data (e.g. contact details, bank account details, IP addresses. We may also potentially store, but only if added by you, National Insurance, passport, payroll and PAYE numbers). We will not collect, store or process data that is labelled as sensitive under GDPR.
Here are some of the ways we are ensuring that we’re fully GDPR compliant by May 2018:
Awareness & accountability
We have a company-wide commitment to ensuring complete compliance with GDPR. Our progress is communicated throughout all departments each quarter, so that everyone working at FreeAgent understands what needs to be done and by when.
We’re undertaking an extensive audit to clearly document what data we hold, where we hold it, where that data comes from and where it potentially goes. This will enable us to keep track of all data and allow us to make the right decisions in making sure that your data is always protected.
We will update our Privacy and Cookie Policies along with our Terms of Service so that you can see exactly how, why, where and for how long we may be processing and holding your data. We’ll also let you know what to do if you don’t think we are doing a great job.
Basis and consent
By signing up to FreeAgent, you are entering into an agreement which gives us a legitimate basis to process your data, in line with GDPR requirements. In other words, in order for you to benefit fully from using FreeAgent, we will need to process some of your data.
However, in order to keep you up to date with helpful tips, events and exciting news, we will need your explicit consent. We’ll make sure it’s obvious how and where you can agree to this, and we’ll allow you to easily change your mind.
Under GDPR you have the right to see a full copy of any data we hold about you, and also the right to request that it is fully deleted from our system (although we may be required to keep some records to ensure that you are not contacted in future, or to comply with any legal obligations).
This is also true for the data you hold about your customers within FreeAgent - you need to be able to adhere to GDPR requirements too, and it is our job to help you do that. We will continue to keep you up to date with our progress on this via the website, newsletters or social media.
Security is a priority in everything we do while developing and delivering FreeAgent. We are constantly evaluating potential threats to understand if there is any risk to your data. As potential threats are constantly evolving, we use a number of technical and organisational measures - which are also continually adapting - to stay ahead of the bad guys.
FreeAgent are based in Edinburgh, so we ultimately answer to the UK Information Commissioner’s Office (ICO) regarding Data Privacy and Protection. We register annually with the ICO under agreement number Z1055818.
Despite all our best efforts, should the unthinkable happen and we suffer a significant data breach that puts your personal data at risk, we have a legal duty to report this to the ICO within 72 hours of discovery. We are updating our internal Security Incident Response Policy and Procedures to include mandatory notification requirements, both with the ICO and publicly with you, our customers.
Maintaining your privacy is really, really important to us. You can rest assured that we have your best interests at heart.
If you ever want to contact us about GDPR, data protection or how we handle your data in general, please feel free to drop an email to yourData@freeagent.com and somebody will get back to you as soon as possible.
Where can I learn more about GDPR?
You can go directly to the European Commission website for a full run down of everything GDPR-related: https://ico.org.uk/for-organisations/data-protection-reform
The UK Information Commissioner’s Office website is also another great resource for GDPR info: http://ec.europa.eu/justice/data-protection/index_en.htm
Finally, at FreeAgent we’ll be posting updates as we continue our GDPR preparations, so keep an eye on our website, social media and newsletters for updates.