The General Data Protection Regulation (“GDPR”) is the new legal framework that will come into effect on the 25th of May 2018 in the European Union (“EU”), and will be directly applicable in all EU Member States from that date. The GDPR’s focus is the protection of personal data, i.e. data about individuals, and builds on existing data protection laws, setting out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use.

Know Your General Data Protection Regulation (GDPR)

Share the Message. Share the Responsibility. #IProtectData

General Data Protection Regulation

and Sage Asia.

Our promise to you

The General Data Protection Regulation ("GDPR") is the new legal framework that will come into effect on the 25th of May 2018 in the European Union ("EU"), and will be directly applicable in all EU Member States from that date. The GDPR's focus is the protection of personal data, i.e. data about individuals, and builds on existing data protection laws, setting out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use.

The GDPR is extra-territorial in nature and applies not just to organisations within the EU who process the data of individuals but also organisations outside the EU who offer goods or services to individuals in the EU, or who monitor the behaviour of individuals in the EU. Because the EU is a trading partner of most countries, the GDPR's wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others.

As one example, if a company based in Asia or the United States, or another non-EU country, collects or processes personal data of any employee, prospect, customer, partner, or supplier that is based in the EU, that company will need to be compliant with the GDPR.

Sage has a project team who are focusing on the implementation of GDPR, and which is endorsed by the Sage Board.

In addition, Sage has robust governance procedures in place to manage the implementation of GDPR including a Data Governance Committee comprising many key stakeholders to ensure all areas of our business will be ready for GDPR from the date of enforcement in May 2018.

Learn more about Sage GDPR preparations.

Download information on our preparations

Get started with our
free GDPR guide

Sage has produced this GDPR guide to help you better understand:

- Important terms
- Basic principles
- Actions you can take now

Download your free guide

Sage GDPR Guide

Get up to speed quickly with these infographics

Key features of the GDPR

Download infographic

Protect personal data through the business day

Download infographic

Watch these "GDPR for business" videos to learn more

gdpr summary
Summary Video

Watch the video

gdpr indepth
In Depth Video

Watch the video

Important things your business needs to know about GDPR

Unsurprisingly, businesses have many questions about GDPR - ranging from how it should be implemented to how it will impact their day-to-day work. Here are the answers to some frequently asked questions.
Open Close
My business is not based in the European Union. Am I affected?
The GDPR affects any business worldwide that processes the data of individuals in the European Union (EU). If you are offering goods or services to individuals in the EU or monitoring their behaviour, you will probably need to employ a representative within the EU to handle GDPR inquiries.

Additionally, you must contact the appropriate authorised government organisations of the countries in the European Union where you offer goods or services and make inquiries to see if this is a requirement for your business.

Before enforcement of the GDPR, it’s difficult to predict the consequences for businesses outside the EU that contravene the GDPR, but they could include being prohibited from transacting business within the EU until compliance is demonstrated, which could take some time. This could affect not only sales but also suppliers. Please refer to the below examples for more information about EU General Data Protection Regulation:

Please reach out to your local Data Protection Commission if you need further clarifications.

Open Close
Does my business need to become 'GDPR certified'?
No. The wording of the GDPR doesn't specify or mandate a certification system but it does encourage voluntary certification via industry bodies or organisations compliant with ISO/IEC 17065/2012, an internationally-recognised standard.

While becoming GDPR-certified is encouraged to provide guarantees relating to technical and organisation security measures, among other things, doing so is important for third parties that process data on behalf of others.

Open Close
What's the deadline for the GDPR?
The GDPR goes into effect on May 25, 2018. There's no grace period or overlap for your business when this happens, so you must ensure your business is ready by then.

Open Close
Will my business have to undergo GDPR audits or inspections?
There’s no requirement within the GDPR for regular governmental audits or inspections but supervisory authorities do have the right to carry out audits as part of their investigatory powers. However, this isn’t to say self-imposed audits or inspections aren’t a very good idea or even a de facto requirement for GDPR compliance.

For third-parties providing data processing services to others, the situation is a little more complicated. They will have to make available to the company employing them all information necessary to demonstrate compliance with their obligations under the GDPR. They must also allow for and contribute to audits, including inspections, that the business is employing mandates.

However, the GDPR does introduce significant and onerous new requirements for record keeping for all businesses. It’s not enough to merely comply with the GDPR. Any business must be able to prove it’s doing so.

Note that there’s a possibility that governments might implement formal, regular audit processes when they implement the GDPR within national laws.

Open Close
I’m a sole trader, does the GDPR affect me?
Yes. The GDPR affects anybody or anything engaged in an economic activity and that processes personal data – and even organisations such as partnerships, charities or clubs/societies. It doesn’t matter if this entity is legally recognised or not.

Open Close
Are products from Sage ready for the GDPR?
Sage is working to ensure all its active products are GDPR-ready. Sage recommends users ensure they are running the latest versions of software.

Specifically, to assist organisations to meet their GDPR obligations, Sage may continue to provide additional enhancements and so customers are advised to periodically review the latest available version and install updates as appropriate. Customers running cloud products, such as those within the Sage Business Cloud, will benefit from always running the latest versions of software.

Open Close
In a nutshell, how does the GDPR differ from existing data protection legislation?
To be blunt the differences are so extensive that it’s impossible to sum up in a quick answer. General Data Protection Regulation: The Sage Quick Start Guide for Businesses provides a concise and readable overview.

Open Close
What are the consequences of not following the GDPR protocol?
Your business might be fined up to 4% of annual global turnover. Notably, it’s possible to breach the GDPR outside of having an actual data loss.

Open Close
How much will the GDPR cost my business?
Expenses for an average business are likely to include some if not all of the following:

• Audits of all processes in all departments, ideally by a qualified individual or business
• Modifications such as staff retraining and information technology adaptations
• Potentially appointing and training a Data Protection Officer (DPO; see Q10 below)
• Setting-up and maintaining continual documentation processes demonstrating compliance with the GDPR
• Voluntary certification costs, especially if your business processes data on behalf of other companies (see Q2 and Q4 above, remembering that you should only use certification bodies are compliant with EN-ISO/IEC 17065/2012 and that have been authorised by the relevant supervisory authorities).

Open Close
Will I need to appoint a Data Protection Officer (DPO)?
Some types of businesses will have to do so. Examples include if your business is a public authority, or your core activities involve the monitoring of individuals on a large scale (including profiling), or you handle data in special categories such as medical data or data relating to criminal convictions and offenses.

Your Data Protection Officer could be an existing employee or you could contract somebody from outside of your business, but you’ll have to inform the government contact who they are and they will also need to be properly trained.

Sage Legal Disclaimer

The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses. While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.