Connecting apps to accounting software and GDPR

Xero add ons - GDPR

Didn't find your answer?

Do you ask your clients for permission each time you wanted to connect a new app to his Xero account, in order to give him better services and advisory reports? Example of those apps: Futrli, Float, Vistr, cashflowcafe etc. If you connected client without his written consent would that breach GDPR rules?

Replies (4)

Please login or register to join the discussion.

avatar
By Mr_awol
08th Feb 2019 12:48

Spooky - just read this on FaceBook and then come on AWeb and got a distinct feeling of Deja vu.

Our engagement letter sets out in the confidentiality and Data Protection sections how we might store, share, or process data, and also states that we may subcontract aspects of our work to other professionals or software providers (not that we ever subcontract but covers us just in case).

Overall I think we are covered for authorisation but I'd say we still have a duty to ensure that we have the relevant agreements in place with suppliers, via their terms and conditions or direct agreement, before we go loading up client data.

Generally I tend to set out what I'm doing anyway - if the add-on is going to cost the client then they need to know in advance, and if it's free (or not being recharged because I'm swallowing it) then I want them to know how much they'd be paying if they bought it themselves! So, it would be rare that I'd connect anything without the client knowing one way or another.

Thanks (1)
avatar
By adam.arca
08th Feb 2019 13:18

I'm no expert on GDPR so take my random thoughts below with a barrel-load of salt.

I can see both sides of the argument here. On the one hand, if I were your client, I wouldn't want you signing me up to anything without my specific permission, or at the very least the courtesy of telling me what you were doing with my data; I also wouldn't be happy (this is a personal POV, I'm sure lots of clients would just accept this) with you saying you were covered by some terms in your letter of engagement which I most likely wouldn't have read.

That's all a pain in the rear for you as a business trying to provide a service but it is also (I think) what the spirit of GDPR intends.

On the other hand, I (and presumably everybody else) have to click through privacy notices on just about every new website I visit these days (and some of the football forums I go on seem to want it every other visit) and I am presumably agreeing to terms there which allow them to use the data they harvest about me without any further reference to me. I've certainly heard nothing back from any of these operations if / when they have moved my data on to a 3rd party yet those websites presumably believe they've done enough to meet the GDPR requirements.

So I suppose it depends on how close to the wind you want to sail (until we see the result of some GDPR enforcement action by ICO) and what sort of relationship you want with your clients.

Thanks (1)
Replying to adam.arca:
avatar
By Mr_awol
11th Feb 2019 15:06

adam.arca wrote:

On the one hand, if I were your client, I wouldn't want you signing me up to anything without my specific permission, or at the very least the courtesy of telling me what you were doing with my data; I also wouldn't be happy (this is a personal POV, I'm sure lots of clients would just accept this) with you saying you were covered by some terms in your letter of engagement which I most likely wouldn't have read.

Perhaps - but I'm not sure that's the same context in which I was talking about the matter.

Our terms state that we will keep the records, prepare the accounts, etc etc etc. What they don't say, is that we will use SAGE/Xero/ReceiptBank or any other specific software package. We provide the service and it's up to us whether we use IRIS/Digita/etc. I see no reason why the client should have any say in that.

Our terms also say that we will only use the data for the relevant purpose, and that if we use cloud/external software systems, then we will ensure confidentiality is maintained. As such, I wouldn't expect the client to object that we've used an add-on such as receiptbank and wouldn't request their authorisation to do so (although I would make sure they know I was using my own account and saving them £20 per month, if I chose to do so without re-charging them).

Thanks (1)
Replying to Mr_awol:
avatar
By adam.arca
12th Feb 2019 11:12

Yes, you're right, it wasn't the same context and no criticism was intended.

The thing is that I'm a bit of a tech dinosaur and, in that respect, am probably not too different from a lot of middle aged clients. I wasn't even aware until I asked about Xero a year or two ago on here that the big "thing" it has is not the program itself (which I personally think is dogsh*te) but the whole environment of add-ons, plug-ins and whatever. If I didn't know this then I can be absolutely sure that the average non tech-savvy client won't either.

If these plug-ins involve data transfer (I don't know if they do but am guessing that may be the case from what you have said), then the risk of a data breach increases exponentially with every one. I know I wouldn't feel comfortable with that if it were my data.

So, in terms of the OP and GDPR issues, I personally do see a potential problem there. We can't know if it will ever be a real problem until ICO gets off its [***] and publishes some real life guidance and / or some enforcement action.

Thanks (1)