GDPR data protection principles
Under the General Data Protection Regulation (GDPR), you need to make sure you have policies and procedures in place to cover the data protection principles. You can find more detail about this from the ICO website, but to help you, we’ve put together some of the key points.
Fair and lawful processing in a transparent manner
You need to have a lawful basis for processing personal data. You can find out more about the different lawful bases from the ICO website.
Sage Corporation Tax is primarily designed to hold the data you need to perform your duties. If you do hold personal data in your software, you should review the purpose for holding the data, and make sure it meets the conditions set out by the GDPR. In many cases, this may be covered by your agreement with your client.
When you submit information to HMRC using Corporation Tax, only the information relevant to the submission is sent.
Corporation Tax collects information to aid in product development. Any information shared with us is anonymised, however, you can choose to opt out of sharing this information with us. Read more
Collected for specified legitimate purposes
Your practice should have procedures in place for identifying the reason for processing personal data. You need to have a clear and compelling case for why you need to use a person’s data and it’s good practice to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more
Adequate, relevant and limited to what’s necessary
You shouldn’t collect more data than is necessary for the original purpose. The best practice is to calculate the information you need to achieve your goals and document this. Read more
Accurate and, where necessary, kept up to date
You should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you’ll maintain the data you’re processing and storing, for example, carrying out regular audits. Read more
Kept in a form that permits identification for no longer than is necessary
The GDPR doesn’t set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant or out of date information is deleted. You should review the length of time you keep personal data for and if you don’t already have one, create a retention policy.
Once you’ve identified your retention dates, you need to remove any data that’s no longer necessary. To do this, you can overwrite the information in the relevant records to anonymise it, for example, change the client name to XXX.
If you need to remove data, you can:
- Delete a client
- Delete online filing history
You can remove clients from your client list in Accounting Partner Edition if there are no active service subscriptions associated with them.
Processed in a manner that ensures appropriate technical and organisational security
You should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more
In terms of your software, you must ensure that your computer or network on which it’s installed is secure. If necessary, check with your IT support.
When you submit information to HMRC using Sage Corporation Tax, the data is also encrypted so you can be confident it’s safe and secure.
Consent
If you have a lawful basis for collecting personal data, you may not always need consent, but you need to have policies in place for this. You can find out more from the ICO website
Sage Legal Disclaimer
The information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.
While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.