Data protection by design
On 25 May 2018 the EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to standardise data protection laws across Europe. Regardless of where that data is processed, it is important to understand that this may also affect your school even if it is not located in a EU member state.
You can be assured that Accounting Office Software is committed to GDPR compliance. We are also committed to helping our customers comply with the GDPR by providing stringent privacy and security protections that are built into our service and contracts.
Data Controllers and Data Processors
Customers will typically act as the Data Controller for any personal data they provide to Accounting Office Software regarding their use of our services. The Data Controller determines the purposes and means of processing personal data, whilst the Data Processor processes data on behalf of the Data Controller.
Accounting Office Software is a Data Processor and processes personal data on behalf of the Data Controller when they use the either the hosting solution, training or support facilities at Accounting Office Software.
Data Controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR legislation.
Data Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
If you are a Data Controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority.
You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with guidance specifically tailored to your situation. Please bear in mind that nothing contained in this message is intended to provide you with, or should be used as a substitute for, legal advice.
Where should you start?
As a current or future customer of Accounting Office Software, now is a good time for you to begin preparing for the GDPR. Here are some considerations:
- Firstly, familiarise yourself with the provisions of the GDPR, especially the differences from your current data protection obligations;
- Consider creating an updated inventory of personal data that you handle;
- Review your current controls, policies and processes to assess whether they meet the requirements of the GDPR. If not, build a plan to address any areas that need amending;
- Consider how Accounting Office Software products could be used to help facilitate your data protection and ensure you are using the system securely;
- Monitor updated regulatory guidance as it becomes available;
- Consult a lawyer to obtain legal advice specifically applicable to your business circumstances.
Accounting Office Software commitments to the GDPR
Alongside other duties, Data Controllers are required to only use Data Processors that provide adequate guarantees to implement appropriate technical and organisational measures so that data processing will meet the requirements of the GDPR.
Here are some aspects you may want to consider when conducting your assessment of Accounting Office Software:
Our data processing agreements for Accounting Office Software products articulate our privacy commitments to customers. The terms have been amended over the years to reflect feedback from customers and regulators. We plan on specifically updating our terms to reflect the GDPR, and will make these updates available in advance of the GDPR coming into force to facilitate our customers’ compliance assessment and GDPR readiness when using Accounting Office Software products. The updated terms will take effect from 25 May 2018, when the GDPR comes into force.
My.N has all the necessary functionality for compliance with the GDPR. The method we use for deletion and retention of data is acceptable for use under the GDPR. This verifies to our customers they are using software and services that are going to help keep them compliant by 25th May 2018.
PROCESSING ACCORDING TO INSTRUCTIONS
Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions, as described in our current as well as our GDPR-updated data processing agreements.
All permanent and temporary employees are bound by confidentiality and non-disclosure terms within their employment terms and are also subject to data protection, security and training policies. Fixed term or open-ended contractors that fall outside of normal employment contracts are similarly bound to confidentiality terms within their contract and a separate non-disclosure agreement, as well as the Company’s data protection, security and training policies.
Administrators can delete any personal data, via the functionality of the Accounting Office Software products at any time during the term of the agreement. Administrators also have the ability to export data into a variety of formats using the integrated report builder.
For support, training and implementation.
DATA SUBJECT RIGHTS
The My.N system has the ability for the Administrator to export selected data at any time. There are also a variety of methods. Decisions on how to implement the need for consent fall under the responsibility of the customer however we can provide training on those areas of My.N on request.