GDPR – Your responsibilities with the data you store in Pandle
What is the GDPR?
The General Data Protection Regulation (GDPR) imposes strict controls on how all organisations collect and process personal data within the EU and/or the personal data of EU citizens.
The enforcement of the GDPR is overseen by the UK’s supervisory authority, the Information Commissioner’s Office (ICO). It ensures that everyone is playing by the rules and that the rights of data subjects – the people whose data is being processed – are correctly protected.
We have outlined the role of Pandle and the role of your business under the new GDPR legislation
We act as a data processor for our customers, with you/your accountant being the data controller.
As a data controller, you need to be able to respond to data requests from your contacts (the data subjects) in Pandle.
As far as the data in Pandle is concerned, this includes:
Keeping data accurate and up to date
Pandle makes it easy for you to maintain an accurate and up-to-date record of your customer and supplier details. When you update information on their customer/supplier account, Pandle automatically pulls the latest information through to any new quotes or invoices.
This only applies to newly created documents, however. Any historic quotes or invoices stored in Pandle will still contain the information that was correct at the time you created them. This is because HMRC says that you need to keep full copies of your historic information.
Providing a copy of an individual’s data
Using the export features on Pandle makes it easy to create a copy of all the data you hold for a customer or supplier. This feature exports all customer or supplier data from within your Pandle account.
Deleting customer/supplier data
If one of your customers or suppliers ask for their information to be permanently removed from your records, they have the right to have their data deleted as fully as possible. Under GDPR this is the responsibility of the data controller, so if your customer or supplier asks us to remove this information directly we have to refer them back to you.
However, your legal obligations to HMRC come before an individual’s ‘right to be forgotten’ under GDPR. This means you should hold their data for at least a period of 6 or 7 years to satisfy HMRC’s requirement for you to retain records for this time period.
If this time period has elapsed and you want to delete a customer/supplier’s information from Pandle, how easy this is depends on the following:
If the customer/supplier has not had any transactions through their account in Pandle then you can simply go to Enter Transactions and click the red delete button next to the relevant customer/supplier.
If your customer/supplier has had previous transactions then these would need to be deleted first. The problem with deleting historic transactions is that your data will be affected and may become inaccurate.
As a result of this we will soon be adding the ability for users to remove all personal data they hold for customers/supplier without affecting transactions, effectively the personal data will become anonymous.