GDPR data protection principles and Sage Personal Tax

Under the General Data Protection Regulation (GDPR), you need to make sure you have policies and procedures in place to cover the data protection principles. You can find more detail about this from the ICO website, but to help you, we’ve put together some of the key points.

Fair and lawful processing in a transparent manner

You need to have a lawful basis for processing personal data. You can find out more about the different lawful bases from the ICO website.

Sage Personal Tax is primarily designed to hold the data you need to perform your duties. If you do hold personal data in your software, you should review the purpose for holding the data, and make sure it meets the conditions set out by the GDPR. In many cases, this may be covered by your agreement with your client.

When you submit information to HMRC using Sage Personal Tax, only the information relevant to the submission is sent.

Sage Personal Tax collects information to aid in product development. Any information shared with us is anonymised, however, you can choose to opt out of sharing this information with us. Read more

Collected for specified legitimate purposes

Your practice should have procedures in place for identifying the reason for processing personal data. You need to have a clear and compelling case for why you need to use a person’s data and it’s good practice to document the reasoning behind your decision. This also applies to data used for marketing purposes. Read more

Adequate, relevant and limited to what’s necessary

You shouldn’t collect more data than is necessary for the original purpose. The best practice is to calculate the information you need to achieve your goals and document this. Read more

Accurate and, where necessary, kept up to date

You should take reasonable steps to ensure the personal data you hold is accurate and up to date and have a process in place to address how you’ll maintain the data you’re processing and storing, for example, carrying out regular audits. Read more

Kept in a form that permits identification for no longer than is necessary

The GDPR doesn’t set out any specific minimum or maximum periods for keeping personal data, instead, it says you must keep data no longer than is necessary for the purpose you obtained it for. This protects the individual by making sure irrelevant or out of date information is deleted. You should review the length of time you keep personal data for and if you don’t already have one, create a retention policy.

Once you’ve identified your retention dates, you need to remove any data that’s no longer necessary. To do this, you can overwrite the information in the relevant records to anonymise it, for example, change the client name to XXX.

If you need to remove data, you can:

  • Delete a client
  • Delete online filing history

You can remove clients from your client list in Accounting Partner Edition if there are no active service subscriptions associated with them. Learn how to remove your access to a client’s data.

Processed in a manner that ensures appropriate technical and organisational security

You should keep the data you hold safe and secure and ensure you have appropriate protection and information security policies, procedures and standards in place. These apply to IT systems, paper records and physical security. Read more

In terms of your software, you must ensure that your computer or network on which it’s installed is secure. If necessary, check with your IT support.

When you submit information to HMRC using Sage Personal Tax, the data is also encrypted so you can be confident it’s safe and secure.


If you have a lawful basis for collecting personal data, you may not always need consent, but you need to have policies in place for this. You can find out more from the ICO website

Sage Legal Disclaimer

The information contained in this guide is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.

Did you find this helpful?

Still need help?

Ask the Sage City community. Sage City is the place to ask questions, share tips and ideas, get practical advice and all the breaking news. Alternatively, find out other ways of getting in touch.

Visit Sage City