logo
Back to Blog

GDPR and Your Accounting Data: What Xero Users Need to Know

January 20, 2026 8 min read
GDPR compliance for Xero accounting data

The General Data Protection Regulation (GDPR) has fundamentally changed how businesses handle personal data across Europe and the UK. For Xero users, this creates a unique challenge: how do you balance GDPR's data minimisation principles with the legal requirement to retain financial records for years? This comprehensive guide explains everything you need to know about GDPR compliance for your accounting data.

Understanding GDPR in the Context of Accounting

GDPR applies to any personal data you process, and your accounting records are full of it. Customer names, addresses, email addresses, bank details, and purchase histories are all considered personal data under the regulation.

The key principles of GDPR that affect your accounting data include:

  • Lawfulness and Transparency – You must have a legal basis for processing personal data and be transparent about how you use it
  • Purpose Limitation – Data should only be collected for specified, explicit, and legitimate purposes
  • Data Minimisation – Only collect data that is necessary for your stated purposes
  • Accuracy – Personal data must be accurate and kept up to date
  • Storage Limitation – Data should not be kept longer than necessary
  • Security – Appropriate security measures must protect personal data

The GDPR vs Tax Law Conflict

Here's where it gets complicated. GDPR says you shouldn't keep data longer than necessary, but tax authorities require you to retain records for extended periods:

  • UK (HMRC): 6 years from the end of the relevant tax year
  • Ireland (Revenue): 6 years
  • Germany: 10 years for accounting documents
  • France: 10 years for commercial documents
  • Netherlands: 7 years

The good news is that GDPR explicitly recognises this conflict. Article 17(3)(b) states that the right to erasure does not apply where processing is necessary "for compliance with a legal obligation." This means you can—and must—retain accounting records even if a customer requests deletion.

What Personal Data Does Xero Store?

Understanding what data Xero holds is the first step to GDPR compliance. Your Xero account likely contains:

Contact Records

  • Names (individual and business)
  • Email addresses
  • Phone numbers
  • Physical addresses
  • Bank account details
  • Tax identification numbers

Transaction Data

  • Purchase and sales history
  • Payment information
  • Invoice details
  • Credit notes and refunds

Attached Documents

  • Uploaded invoices and receipts
  • Contracts and agreements
  • Identification documents

Your GDPR Obligations as a Xero User

1. Establish Your Legal Basis

For most accounting data, your legal basis will be one of the following:

  • Contract – Processing is necessary to fulfil a contract with the customer
  • Legal Obligation – Processing is required to comply with tax laws
  • Legitimate Interest – Processing is in your legitimate business interest (e.g., debt collection)

Importantly, you generally don't need consent to process accounting data because you have other legal bases. However, you must still be transparent about your data processing.

2. Create a Privacy Notice

Your privacy notice should explain:

  • What personal data you collect
  • Why you collect it (purposes)
  • Your legal basis for processing
  • How long you retain data
  • Who you share data with (including Xero as a processor)
  • Data subject rights

3. Handle Data Subject Requests

Under GDPR, individuals have rights regarding their data. Here's how to handle common requests:

Right of Access (Subject Access Request): You must provide a copy of all personal data you hold. Export the contact record and transaction history from Xero.

Right to Rectification: If data is inaccurate, update it in Xero. Keep a record of the correction.

Right to Erasure: For active accounting records within the retention period, you can legitimately refuse this request based on legal obligation. However, after the retention period ends, you should delete unnecessary data.

4. Ensure Data Security

GDPR requires "appropriate technical and organisational measures" to protect personal data. For your Xero data, this includes:

  • Using strong, unique passwords
  • Enabling two-factor authentication
  • Limiting user access to only what's necessary
  • Reviewing connected apps regularly
  • Securing any exported or backed-up data

Xero as a Data Processor

Under GDPR terminology, you are the "data controller" (you decide what data to collect and why), and Xero is a "data processor" (they process data on your behalf).

Xero has published their GDPR compliance documentation, including:

  • A Data Processing Agreement that meets Article 28 requirements
  • Information about their security measures
  • Details of sub-processors they use
  • Data transfer mechanisms for international transfers

As a controller, you should review Xero's data processing terms and ensure they meet your compliance requirements.

Backing Up Data and GDPR

Here's an important consideration: GDPR applies to backups too. If you back up your Xero data (which you should for business continuity), those backups also contain personal data.

Best Practices for GDPR-Compliant Backups:

  • Secure Storage – Ensure backups are encrypted and access-controlled. Boxkite stores your data securely in Dropbox, which provides encryption at rest and in transit.
  • Access Controls – Limit who can access backup data
  • Retention Policies – Apply the same retention periods to backups as to primary data
  • Include in Your Records – Document your backup processes in your data processing records

Data Retention: A Practical Approach

Here's a practical framework for managing accounting data retention:

During the Retention Period (e.g., 6 years in UK):

  • Maintain complete records in Xero
  • Keep backups for disaster recovery
  • Respond to subject access requests with full data
  • Decline erasure requests citing legal obligation

After the Retention Period:

  • Review what data is still necessary
  • Archive or delete data that's no longer needed
  • Consider archiving to Xero's "archive" status for contacts
  • Document your deletion decisions

Common GDPR Mistakes to Avoid

1. Over-Relying on Consent

You don't need consent for processing accounting data. Using consent when you have another legal basis actually weakens your position.

2. Ignoring Data Subject Requests

You have one month to respond to data subject requests. Set up a process to handle them promptly.

3. Keeping Data Forever

Just because you can keep data for 6+ years for tax purposes doesn't mean you should keep it forever. Implement a data retention schedule.

4. Forgetting About Backups

Ensure your backup strategy is GDPR-compliant, including secure storage and appropriate retention.

Conclusion

GDPR compliance for Xero users isn't as daunting as it might seem. The key points to remember are:

  • You have legitimate legal bases for processing accounting data
  • Tax law retention requirements override GDPR's erasure rights during the retention period
  • Security, transparency, and documentation are your main ongoing obligations
  • After the retention period, you should delete unnecessary data

By understanding these principles and implementing appropriate policies, you can confidently use Xero while meeting your GDPR obligations.

This blog post is for informational purposes only and does not constitute legal advice. For specific guidance regarding your GDPR obligations, please consult with a qualified data protection professional or legal advisor.

Try Boxkite - Secure Xero Backups