Happened to be working in Sage Online and noticed Sage allows you to set a data retention period to allow you to both comply with GDPR and get rid of data that has passed its statutory retention period. I've asked Xero on several occasions about this, but they seem disinterested. Some of my clients have been on Xero for over 10 years now. This probably applies to other vendors too.
Related resources
Replies (5)
Please login or register to join the discussion.
Whether Xero are disinterested or uninterested ... I'm not sure what it is that you'd like them to do (as I haven't seen the Sage example to which you refer).
The problem with GDPR (at least in this context) is that there are no "statutory retention periods".
There are items that have such minimum retention periods outside of GDPR just as there others that have no statutory retention requirements at all ... but all that GDPR does (in simplistic terms) is to impose a responsibility on the organisation to come up with their own clear policies on data retention (based primarily on business needs for varying types of data) - and then both communicate and consistently comply with those policies.
So two different organisations can quite legally have entirely different retention period policies for the same types of data.
Then there are the 'right to erasure' (aka right to forget) requests that may be received from current or past employees/clients/etc ... which is where life gets really fun (so let's leave that for another day)!
Although GDPR requires you to keep personal data for no longer than is necessary, I would regard the statutory limit as a cutoff. So all I would want Xero to do is provide a way of archiving old data.
You are right that GDPR is a separate topic, not least if a client sued you for a cloud platform data breach caused by a Xero hack, could you sue them in turn?
Why is this your problem? The xero records are your clients records . Your client has just allowed you access .
The Sage settings relate to the client’s retention policies for customer and suppliers details. They are designed to help the client comply with GDPR.
Its my problem on their behalf then. What do you with client papers when they reach the 7 year retention period. I either offer to send them back, or destroy them. Just becuase records are digital it doesn't mean they should exist forever.
