What is GDPR?

The General Data Protection Regulation (GDPR) is a new data protection regulation that will replace Europe's existing Data Protection Directive. GDPR was agreed and adopted in 2016 and came into affect on 25 May 2018.

GDPR seeks to make data protection regulations more relevant, comprehensive and unified. It affects every accounting firm (and company) in the world that processes personal data about people in the European Union.

What changed?

GDPR was a significant change, but it is a great opportunity for you to assess your firm's current data processing activities and ensure you are protecting your client's data appropriately.

At a high level, GDPR requires the following of your accounting firm:

  • Demonstrable compliance: you are required to document and be able to show how you comply with data protection requirements
  • Enhanced client rights: new data protection rights for individuals (your clients) will be introduced, including their right to obtain and reuse personal data, and the right of erasure
  • Privacy design: you must implement technical and organisational measures to demonstrate you have considered and integrated data compliance measures into your data processing activities

Is Karbon GDPR compliant?

We take our responsibilities under GDPR seriously, and have ensured that we are GPDR-compliant.

Here is an outline of relevant GPDR articles, with a summary of the measures we have implemented to ensure Karbon is compliant.

Article 17 & Article 18 — Data portability & right to erasure

  • Karbon customers can export their clients, contacts and work items from with the Karbon app. All emails are already stored with their email provider.  
  • On request, all data can be erased from a Karbon account at any point.
  • If there is a need to erase data for a specific contact or client, Karbon customers are able to do this themselves. For erasure of multiple contacts, customer support is able to perform bulk deletions on request.
  • Karbon will notify all EU customers of a data breach within 72 hours of it coming to our attention.

Articles 23 & 30 — Have in place a "reasonable data protection measure"

  • Karbon has 256-bit website encryption. OAuth is used for Microsoft Office365 or Exchange customers, and Google Apps authentication used for Google Business users.

Articles 33 & 33a — Internal audits

  • Karbon conducts regular internal audits with an outside provider.

Article 35 — All companies need to appoint a data protection officer.  

  • The data protection officer of Karbon is John Freeman.

Articles 44 & 46 — Data protection guarantee and the transfer to third countries.  

  • Currently, we do not store data in the EU, and in fact, this isn’t required under GDPR.
  • Karbon data is stored in the USA at Microsoft's California datacenter and is transferred ensuring "appropriate safeguards" are in place and that the transfer of personal data is compliant with article 46.
  • When we process EU customer data in other territories, like the United States of America or Australia, we also ensure "appropriate safeguards" are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

Further resources

You can get more helpful information on GDPR from:

Did this answer your question?