General Data Protection Regulation (GDPR) is the European Union data protection law that came in to effect on May 25, 2018. It sets out businesses’ responsibilities in relation to the personal data they collect and hold, it also governs the processes businesses use for managing that personal data.

GDPR – Individual rights and Sage Accounting

Under the General Data Protection Regulation (GDPR) individuals have increased rights over the personal data you hold on them. This includes the right to know why you’re holding their data and what you’re using it for, as well as the right to request the data is rectified or destroyed.

is mainly designed to hold the data you need to carry out your duties. However, if you are using it to process personal data, you need to make sure you’re aware of an individual’s rights.

You can find out more detail about each right from the ICO website.

Right to be informed

You must tell people what you’re doing with their personal data, this includes any data that you hold. Your company would normally need a privacy statement or notice to cover this. You can find out more about what type of information you need to inform individuals about from the ICO website.

Right of access

Individuals have a right to access their personal data, so they are aware of what data you hold and what you’re holding it for. They have a right to:

  • Confirmation that you’re processing their data.
  • Access their personal data.
  • Access other supplementary information.

If an individual sends you a subject access request, you must send them the relevant information. Read more >

Right to rectification

You must make sure that the personal data you hold for individuals is accurate and kept up to date. If an individual asks you to correct their data, you must update this in your software. You must respond to the individual within one month, or two months if the request is complex.

You can edit the records that may hold information about individuals, such as their name and email address.

Right to erasure (right to be forgotten)

Unless there’s another legal reason for keeping personal data, you must delete or remove the data at the request of the individual.

You can edit the records that may hold information about individuals, such as their name and email address.

Right to restrict processing

Individuals have a right to block or suppress processing of their personal data. If they request this, you can still store their personal data, but you can’t process it further. You can keep just enough information about them to make sure the restriction is respected in the future. Read more >

If necessary, you can amend information within a record to anonymise or remove the non-relevant information.

Right to data portability

If an individual has provided their personal data to you on the basis of consent or contract, they have a right to request that the data is returned to them in a structured, commonly-used and machine-readable format. Machine-readable means the information is structured so that other software can extract the data for example, in an Excel or CSV file, rather than a Word or PDF document. Read more >

Right to object

Individuals have a right to object to you processing their personal data. This is mainly aimed at using their data for direct marketing, including profiling, however there are other legitimate reasons for objecting. Read more >

Right not to be subject to automated decision making, including profiling

Individuals have a right to object to being subject to a decision based solely on automated processing, including profiling. If you use an automated decision-making system, it should allow for a human intervention. Read more >

GDPR data protection principles

Under the General Data Protection Regulation (GDPR), you need to make sure you have policies and procedures in place to cover the data protection principles. You can find more detail about this from the ICO website, but to help you, we’ve put together some of the key points.

Fair and lawful processing in a transparent manner

You need to have a lawful basis for processing personal data. You can find out more about the lawful bases from the ICO website.

The data you submit to HMRC through is encrypted so you can be confident it’s safe and secure.

Collected for legitimate purposes

You should have procedures in place for identifying the reason for processing personal data. You need to have a clear and compelling case for why you need to use a person’s data and it’s good practice to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more >

Adequate, relevant and limited to what’s necessary

You shouldn’t collect more data that is necessary for the original purpose. The best practice is to calculate the information you need in order to achieve your goals and document this.

Accurate and, where necessary, kept up to date

You should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you’ll maintain the data you’re processing and storing, for example, carrying out regular audits. Read more >

Keep in a form that permits identification for no longer than is necessary

The GDPR doesn’t set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant out of date information is deleted. You should review the length of time you keep personal data for and if you don’t already have one, create a retention policy

For guidance on what length of time to set your retention periods to, please refer to the following HMRC articles:

Once you’ve identified your retention dates, you need to remove any data that’s no longer than necessary, by editing the records or deleting the records.

Processed in a manner that ensures appropriate technical and organisational security

You should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more >

In terms of your software, you must ensure that the device and Internet browser you’re using to access is secure. If necessary, check with your IT support.


If you have another lawful basis for collecting personal data, you may not always need consent but you need to have policies in place for this. You can find out more from the ICO website.