You can find more detail about this from the ICO website, but to help you, we've put together some of the key points.

Fair and lawful processing in a transparent manner

You need to have a lawful basis for processing personal data. You can find out more about the lawful bases from the ICO website.

The data you submit to HMRC and your pension provider through your Sage software is encrypted so you can be confident it's safe and secure.

Collected for legitimate purposes

You should have procedures in place for identifying the reason for processing personal data. You need to have a clear and compelling case for why you need to use a person’s data and it’s good practise to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more >

Adequate, relevant and limited to what's necessary

You shouldn’t collect more data that is necessary for the original purpose. The best practise is to calculate the information you need in order to achieve your goals and document this. Read more >

Accurate and, where necessary, kept up to date

You should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you'll maintain the data you're processing and storing, for example, carrying out regular audits. Read more >

Keep in a form that permits identification for no longer than is necessary

The GDPR doesn't set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant out of date information is deleted. You should review the length of time you keep personal data for and if you don't already have one, create a retention policy.

You can easily view your employee's personal data in Sage 50 Payroll and you can also store documents in the employee record. Alternatively, you can record this in your procedures outside of the software.

Once you've identified your retention dates, you need to remove any data that's no longer than necessary.

In Sage 50 Payroll, you can manually amend any field that contains personal data. You can also delete an employee record if the employee left more than three years prior to the current tax year. Read more >

Processed in a manner that ensures appropriate technical and organisational security

You should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more >

In terms of your software, you must ensure that your computer or network on which it's installed is secure. If necessary, check with your IT support.

Under the GDPR, you should no longer send backups via email. If you need to send your data to support, you need to ensure your data is password protected then upload your backup securely using your My Sage account. Read more >

Consent

If you have another lawful basis for collecting personal data, you may not always need consent but you need to have policies in place for this. You can find out more from the ICO website.

You need to get consent from your employees' emergency contacts to collect their data. Once you have received consent, you can record this in the employee's emergency contacts option:

1. On the Employee List, double-click the required employee.
2. Click Emergency Contacts then select the Consent received check box.
3. Click OK then click Save then click Close.

You can also use the documents option in Sage 50 Payroll to store any documentation of consent. Read more >

Sage Legal Disclaimer

The information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an "as is" basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.