FreeAgent and GDPR Compliance

What is the GDPR?

The General Data Protection Regulation (GDPR) imposes strict controls on how all organisations collect and process personal data within the EU and/or the personal data of EU citizens.

The enforcement of the GDPR is overseen by the UK’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of data subjects - the people whose data is being processed - are correctly protected.

Those individuals or businesses which determine the purposes and means of processing personal data are referred to as data controllers under the GDPR, whereas a data processor is responsible for processing data on behalf of the data controller.

The regulation outlines six key principles for organisations that process individuals’ personal information. These are that data shall be:

  • processed lawfully, fairly and transparently
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary for processing
  • accurate and kept up to date
  • retained only for as long as necessary
  • processed in an appropriate manner to maintain security

What has FreeAgent done to prepare for GDPR?

We’re constantly improving the technical and organisational security measures we have in place to protect your data and are committed to being fully compliant with GDPR. We will also support you with your own compliance obligations regarding any customer data held within FreeAgent.

Here are some of the ways we are committed to GDPR compliance:

Awareness & accountability

We have a company-wide commitment to compliance with the GDPR. Everyone working at FreeAgent understands what their own responsibilites and those of the company are.

Audit

We have undertaken an extensive audit to clearly document what data we hold, where we hold it, where that data comes from and where it goes. This enables us to keep track of all data and helps us to make the right decisions when it comes to making sure that your data is always protected.

Policies

We updated our privacy policy so that you can see exactly how, why and where we may be processing your data, and how long we hold it for. We also let you know what to do if you don’t think we're doing a great job.

Data processing addendum (DPA)

We've made available a DPA for our accountancy partners to download and sign, if required for their record-keeping. For direct customers, our privacy policy covers the required terms of data processing under the GDPR and a DPA is not required.

Basis and consent

By signing up to FreeAgent, you are entering into an agreement which gives us a legitimate basis to process your data, in line with GDPR requirements. In other words, in order for you to benefit fully from using FreeAgent, we need to process some of your data.

However, in order to keep you up to date with helpful tips, events, exciting news and offers, we will need your explicit consent. We make sure it’s obvious where and how you can agree to this and you can unsubscribe from these updates at any time.

Your rights

Under the GDPR you have the right to see a full copy of any data we hold about you, and also the right to request that it is fully deleted from our system (although we may be required to keep some records to ensure that you are not contacted in future, or to comply with any legal obligations).

This is also true for the data you hold about your customers within FreeAgent - you need to be able to adhere to GDPR requirements too and it is our job to help you do that.

How does FreeAgent help you comply with GDPR?

If you're a small business owner

Here's how your data is structured in FreeAgent under GDPR:

Diagram of data processors, controllers and subprocessors in FreeAgent for small business owners

As we act as a data processor for our customers, we are committed to ensuring that you are able to meet your own obligations as a data controller.

As a data controller, you need to be able to respond to data requests from your contacts (the data subjects) in FreeAgent.

As far as the data in FreeAgent is concerned, this includes:

Keeping data secure

We are constantly improving our security measures to keep the information we hold within FreeAgent safe and whenever we work with third parties (subprocessors) to help us provide our service, we ensure that their security processes are as robust as our own.

We are continually adding features to our service to improve security. This includes features such as active sessions, login attempts and 2-Step Verification.

Keeping data accurate and up to date

FreeAgent makes it easy for you to maintain an accurate and up-to-date record of your contact’s details. When you update a contact’s information on their contact card, FreeAgent automatically pulls the latest information through to any new invoices or emails. This only applies to newly created documents, however; any historic invoices or emails stored in FreeAgent will still contain the information that was correct at the time you created them. This is because HMRC says that you need to keep full copies of your historic information.

Providing a copy of an individual’s data

Using the Export All Data feature on FreeAgent makes it easy to create a copy of all the data you hold on a contact. This feature exports all your data from your FreeAgent account and by 25th May 2018 will also export all your files and attachments.

Deleting a contact’s data

If one of your contacts asks for their information to be permanently removed from your records, they have the right to have their data deleted as fully as possible. Under GDPR this is the responsibility of the data controller, so if one of your contacts asks FreeAgent to do this, we have to refer them back to you. Your legal obligations to HMRC come before an individual’s right to be forgotten under GDPR, and we’ve built safeguards into our software to make sure you balance both of these requirements.

Once you've created a transaction (i.e. an invoice, estimate, bill, project or timeslip) for a contact, you will be able to delete that contact once you’ve deleted all the transactions relating to them in FreeAgent. Once you have done this, you will see the option to ‘delete’ in that contact’s details screen.

However, because HMRC requires self-employed professionals to keep a copy of their records for at least five or six years after the relevant self assessment submission date, and limited companies to keep a copy of their records for at least six years after their accounting year end, you should not delete a contact from FreeAgent with transactions that fall within these periods.

In addition, FreeAgent doesn’t allow you to delete transactions that are dated within a locked period or those that are attached to a filed VAT return, which means that you won’t be able to delete any contacts with transactions that fall into either of these categories. In this way, FreeAgent helps you to ensure that you are not deleting any information that you are required to keep for HMRC.

Please be aware that deleting transactions linked to a contact will have an effect on your accounts and once you’ve deleted any information in FreeAgent it can’t be restored. If you're unsure whether or not to delete any data in FreeAgent then please do check with your accountant.

If you're an accountant

Here's how your data is structured in FreeAgent under GDPR:

Diagram of data processors, controllers and subprocessors in FreeAgent for accountants

As a data controller, you need to be able to respond to data requests from your clients (the data subjects) in FreeAgent.

As far as the data in FreeAgent is concerned, this includes:

Keeping data secure

We are constantly improving our security measures to keep the information we hold within FreeAgent safe and whenever we work with third parties (subprocessors) to help us provide our service, we ensure that their security processes are as robust as our own.

Keeping data accurate and up to date

FreeAgent makes it easy to maintain up-to-date records. Updating a client’s information on the client details page will automatically pull the latest information through to their account. Similarly if a client updates their information via their own account, this will pull through to your dashboard.

Providing a copy of an client's data

Using the Export All Data feature makes it easy to create a copy of all the data you hold for a client on FreeAgent. This feature exports all account data from their FreeAgent account and by 25th May 2018 will also export all files and attachments associated with that client.

Deleting a client’s data

If one of your clients asks for their information to be permanently removed from your records, they have the right to have their data deleted as fully as possible. (Under GDPR this is the responsibility of the data controller, so if one of your clients asks FreeAgent to delete their information, we have to refer them back to you).

By the 25th May 2018, we will have introduced the ability for you to remove a client from your dashboard directly from your account. This will not delete the client’s data, but will transfer their account to one which is directly managed by them, removing your access to the data. The data held in the account is then their responsibility to manage or delete.

Please be aware that deleting transactions linked to a contact will have an effect on your accounts and once you’ve deleted any information in FreeAgent it can’t be restored. If you're unsure whether or not to delete any data in FreeAgent then please do check with your accountant.

Contacting us

If you ever want to contact us about GDPR, data protection or to find out more about how we process your data, please feel free to drop an email to yourData@freeagent.com and somebody will get back to you as soon as possible.

Where can I learn more about GDPR?

The UK Information Commissioner’s Office website is a great resource for GDPR information: https://ico.org.uk

Company Contact

FreeAgent
One Edinburgh Quay
133 Fountainbridge
Edinburgh
Scotland United Kingdom
EH3 9QG