Fair and lawful processing in a transparent mannerYou need to have a lawful basis for processing personal data. You can find out more about the lawful bases from the ICO website. Sage 200 Professional/Standard is primarily designed to hold the data you need to perform your duties. If you do hold personal data in your software, you should review the purpose for holding the data, and make sure it meets the conditions set out by the GDPR. In many cases, this may be covered by your agreement with your customers and suppliers.
Collected for specified legitimate purposesYour organisation should have procedures in place for identifying the reason for processing a personal data. You need to have a clear and compelling case for why you need to use a person's data and it's good practice to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more. Adequate, relevant and limited to what's necessaryYou shouldn't collect more data than is necessary for the original purpose. The best practice is to calculate the information you need to achieve your goals and document this. Read more. Right to data portabilityYou should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you'll maintain the data you're processing and storing, for example, carrying out regular audits. Read more. Kept in a form that permits identification for no longer than is necessaryThe GDPR doesn't set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant and out of date information is deleted. You should review the length of time you keep personal data for and if you don't already have one, create a retention policy. Once you've identified your retention dates, you need to remove any data that's no longer necessary. To do this, you can overwrite the information in the relevant records to anonymise it, for example, change the contact name to XXX. Processed in a manner that ensures appropriate technical and organisational securityYou should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more. In terms of your software, you must ensure that your computer or network on which it's installed is secure. If necessary, check with your IT support. ConsentIf you have a lawful basis for collecting personal data, you may not always need consent, but you need to have policies in place for this. You can find out more from the ICO website.
Sage Legal DisclaimerThe information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses. While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an "as is" basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information. |