Privacy and Security
At Zoho Books, we take the privacy of your organization very seriously. With the data protection laws coming up, the following feature enhancements in Zoho Books will help you stay GDPR compliant.
Permissions to Access PII
Zoho Books lets you to restrict your organization user’s access to the sensitive data of your contacts. You can choose to edit a user’s role and enable or disable their access to Personally Identifiable Information (PII) - Any data that can be used to identify a specific individual. To do this:
- Click the Gear icon in the top-right corner.
- Go to Users and Roles and click the Roles tab.
- Hover the cursor over a role and click edit to modify an existing role or create a new role.
- Scroll to the Settings section and enable or disable Access Personally Identifiable Information.
- Click Save.
Note: By default, the setting will be enabled only for the Admin of the organization.
Read more about Roles and Users.
Custom Field Creation
Custom Fields in Zoho Books allow you to quickly and easily add data against fields created by you. From now on, when you create a new custom field, you can choose to encrypt and save the Personally Identifiable Information (PII).
- Click the Gear icon from the top right corner and select Preferences.
- Select the module for which you would like to create a new custom field.
- Enter the Label Name and select the Data Type.
- Select how you want to store your data based on its sensitivity under Data Privacy
Select PII or ePHI based on the information that you will be entering in this field.
- Select PII (Personally Identifiable Information) if the information that you will enter is confidential and can be used to identify a person. You can mark fields such as Text, Email, URL, Phone, Number and Date as PII. You can choose to encrypt and store it if the data is sensitive or store it without encryption if the data is non-sensitive. Choose if the information you enter will be sensitive or not sensitive:
- Sensitive data. Encrypt and store it. This data can be viewed only by users who have permission to access PII.
- Not sensitive data. Store it without encryption. Only users with access to protected data can view the details. However, users can use this field to perform advanced searches.
Select ePHI (Electronic Protected Health Information) if the information that you enter can be used to identify a patient. For example, an electronic copy of medical report will be ePHI. You can mark only fields such as Text, Email, URL, Phone, and Date as ePHI. The data will be considered as sensitive; it will be encrypted and stored. Only users with access to protected data can access the fields. Users cannot use this field to perform advanced searches.
Select the other settings and click Save.
Note: You can mark a field as PII or ePHI only for the following data types: text, number, email, URL, date and phone.
Restricting Data Export
Once you have enabled role based access, the users without permission to access Personally Identifiable Information (PII) will not be able to export any sensitive information. This would include SSN number, bank account number, and any custom fields created and marked as sensitive.
So, when users with permission to access PII want to export data, they can do so.
- Navigate to the module you would like to export data.
- Click Export from the hamburger icon.
- Select the module you want to export, choose the status of the transaction, and select the file format.
- Enable the option Include Sensitive Personally Identifiable Information (PII) while exporting.
- Click Export.