Skip to content
logo Knowledgebase

GDPR - Data protection principles and Sage 50 Accounts

Created on  | Last modified on 


Under the General Data Protection Regulation (GDPR), you need to make sure you have policies and procedures in place to cover the data protection principles. We've put together some of the key points.


NOTE: You can find more detail about  GDPR from the ICO website.

Fair and lawful processing in a transparent manner

You need to have a lawful basis for processing personal data. You can find out more about the lawful bases from the ICO website.

Sage 50 Accounts is primarily designed to hold the data you need to perform your duties. If you do hold personal data in your software, you should review the purpose for holding the data, and make sure it meets the conditions set out by the GDPR. In many cases, this may be covered by your agreement with your customers and suppliers.

When you submit information to HMRC using Sage 50 Acccounts, only the information relevant to the submission is sent.

Collected for specified legitimate purposes

Your organisation should have procedures in place for identifying the reason for processing a personal data. You need to have a clear and compelling case for why you need to use a person's data and it's good practice to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more >

Adequate, relevant and limited to what's necessary

You shouldn't collect more data than is necessary for the original purpose. The best practice is to calculate the information you need in order to achieve your goals and document this. Read more >

Accurate and, where necessary, kept up to date

You should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you'll maintain the data you're processing and storing, for example, carrying out regular audits. Read more >

Kept in a form that permits identification for no longer than is necessary

The GDPR doesn't set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant or out of date information is deleted. You should review the length of time you keep personal data for and if you don't already have one, create a retention policy.

You can easily view customer and supplier data in Sage 50 Accounts by browsing their records, and you can also use a custom field to record retention dates for your information. Alternatively, you can record this in your procedures outside of the software.

Once you've identified your retention dates, you need to remove any data that's no longer than necessary by editing the records or deleting the records.

Processed in a manner that ensures appropriate technical and organisational security

You should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more >

In terms of your software, you must ensure that your computer or network on which it's installed is secure. If necessary, check with your IT support.


If you have another lawful basis for collecting personal data, you may not always need consent but you need to have policies in place for this. You can find out more from the ICO website.

If you do need consent, you can record this within the software using one of the custom fields to indicate the client has given consent. Alternatively, you may have a process outside of your software for recording this.


Sage Legal Disclaimer

The information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an "as is" basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.