Table of Contents

GDPR Statement 14 May 2018

GDPR explanation for small businesses and their advisors …………………………………………. 2

What is GDPR?…………………………………………………………………………………………………………2

What does GDPR mean?……………………………………………………………………………………………2

GDPR and data protection ……………………………………………………………………………………….. 2

Does GDPR affect data security?…………………………………………………………………………………3

Summary of GDPR for small business ………………………………………………………………………..3

What is Control-C doing about GDRP? ……………………………………………………………………… 3

What is next for GDPR at Control-C? ………………………………………………………………………… 4

Control-C FAQ’s for GDRP ……………………………………………………………………………………….. 4

Control-C – GDPR Document, 14 May 2018

GDPR explanation for small businesses and their advisors What is GDPR?

What does GDPR mean?

Although GDPR might seem scary at first, many see it as a positive step forward for data protection. Some of the key areas GDPR covers are:

• personal data about EU-based people (absolutely all of it)
  This includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
• how you collect personal data
  You can only collect personal data if you have a legal reason to do so. You might need it for a sales contract, for example. Or your customer may have asked you to send them some information on your product or service. In all cases, you must make it clear what the personal data will be used for – and only use it for that purpose.
• user contracts and terms and conditions (on websites, for example)
  These need to be simple, clear and easy to understand – with no complicated legal text.
• the right to know
  Individuals can ask a business what information is being held about them. This isn’t a new right, but organisations must now respond within one month and can’t charge a fee (which they used to be able to do).
• the right to erasure
  Customers can ask a company to delete all stored personal data about them, unless the company needs to keep that information for legal reasons, such as tax.
• data portability
  Individuals can request a digital copy of their personal data to use however they like, including transitioning to a new service provider.
• data breach
  You’re obliged to report certain types of data breach to the relevant supervisory authority.The UK government will be replicating GDPR into UK law prior to Brexit, so if you’re a UK company, Brexit won’t impact your obligation to comply.GDPR and data protection

  It’s important to understand the spirit of GDPR. The legislation came into existence because of the way personal data has been treated in the past. Many companies treated personal data as a resource they could utilise without regard to the rights of individuals.

  For example, some companies sold customers’ email addresses, allowed sensitive data to be seen by unauthorised people, and failed to adequately protect data against hackers.

The GDPR comes into force in May 2018. It’s a wide-ranging regulation designed to protect the

privacy of individuals in the European Union (EU) and give them control over how their personal

data is processed, including how it’s collected, stored and used. It affects every company in the

world that processes personal data about people in the EU.

2

Control-C – GDPR Document, 14 May 2018

GDPR gives control of personal data back to the people who own it and requires organisations to make data protection a core part of their operations and processes. This is likely to affect big, data-driven organisations first. But small businesses aren’t exempt. We’ve set out some steps below that you can take to make sure you’re prepared.

Does GDPR affect data security?

Data security is a big part of GDPR. If you process personal data of people in the EU you have a duty to keep it safe so it’s important to ensure that any personal data held by you is securely stored.

GDPR also governs where companies store personal data, and what safeguards you must have in place in order to store and process that personal data outside of the EU. For example, if you’re transferring personal data to a US-based company (that will store and process it in the US), you should check that they’re certified with Privacy Shield, which is a mechanism designed to allow data transfers from the EU to the US.

Summary of GDPR for small business

There are many aspects to GDPR, but it really boils down to being clear and ethical with the personal data you process – that means treating it as you’d treat something valuable of your own. Some initial practical steps you can take to get GDPR compliant are:

Check products and services

• Check which of your products or services collect and process personal data.
• Ensure you have a legal basis for the processing of personal data.
• Ensure you can comply with the obligations to your customers as set out in the GDPR (suchas the right of access and the right of erasure).Review notices and contracts

• Update your internal and external notices for GDPR compliance.
• Ensure your customer contracts are GDPR compliant. Assign responsibility

• Make someone in your organisation responsible for data protection and privacy.
• Consider whether you need to appoint a Data Protection Officer – check out theICO’s guidance for more info.
• Provide data protection training for staff.Take care over securityEnsure systems that collect, process and store personal data are secure.

  What is Control-C doing about GDRP?

  We take our responsibilities under GDPR seriously. That’s why we’ve embarked on a programme to identify which measures we need to implement to be compliant with GDPR, and are working to implement them in time for 25 May this year. Here is a quick summary of what we’ve done to date:

• We conducted a comprehensive GDPR audit and gap assessment. Following the gap assessment, we created an internal roadmap to work towards compliance with GDPR by 25 May 2018
• We have completed our internal education program to deliver GDPR-focused training across key areas of the business, so that they’re aware of what GDPR requires and how it impacts their day-to-day roles
• Together with our developers we have identified necessary changes/improvements to our product and are working to implement those.

3

Control-C – GDPR Document, 14 May 2018

• We are well underway with engaging all third-party vendors to make sure we have the appropriate contractual protections in place that satisfy GDPR requirements
• We’re refining procedures to deal with some key data subject rights, like subject access requests and the right to request deletion
• We’ve produced a GDPR compliant Data Processing Addendum (for more information see the FAQs below)What is next for GDPR at Control-C?

• Continual awareness, understanding of GDPR and other security aspects.
• Development of new and easier tools to let you access all your data stored with Control-C.Control-C FAQ’s for GDRPWhere does Control-C store customer data?

  Like many cloud providers, Control-C uses a highly reputable 3rd party data hosting provider with servers located in New Zealand to host and store our service.

  Will Control-C be storing EU customer data in the EU?

  Control-C has no plans to store data in the EU, and this is not required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.
  Control-C makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and has completed a full audit to ensure compliance with GDPR.

  Control-C is currently developing additional function to allow customers to choose DropBox, GoogleDrive, or OneDrive as secondary storage locations, that can by synchronised to customer own devices and servers. Customers will need to consider GDPR implications of this and the GDPR compliance of the chosen secondary cloud storage provider.

  How does Control-C comply with EU data export restrictions?

  When personal data is hosted or processed outside of the European Economic Area by Control-C, GDPR requires that it remains protected by appropriate safeguards in line with EU law.

• All data is processed in New Zealand (where our Headquarters are located).
• New Zealand is recognised by the EU as an ‘adequate’ country (i.e. safe country) to receiveand process EU personal data, pursuant to European Commission Decision 2013/65/EU.What measures does Control-C have in place to protect data?

  Protecting our customers data is paramount to everything we do.

• Control-C uses only Xero certified developers, and has a storage and networking architectureapproved by Xero themselves.
• Our networking is built to international best practices, with comprehensive security andseparation built-in by design.
• Data from Xero is encrypted in transit and encrypted when stored.
• Our data design means that even we cannot see our customers Xero data or attachments –unless they actually add us as an authorised user in the customer portal.Does Control-C have a GDPR compliant Data Processing Agreement/Addendum for us to sign?

• Yes, you can review and sign a copy of Control-C’s Data Processing Agreement – attached with this email. Instructions for execution are set out in the Addendum. If you have any questions about its contents you can email privacy@control-c.com

4