GDPR for accounts payable - what you need to know
These days there is a lot of discussion about the European Union’s new General Data Protection Regulation (GDPR) that will enter into force in May of 2018 and how this affects businesses and individuals across the world.
The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The GDPR not only applies to EU businesses but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The aim is to give consumers control of their personal data collected by companies.
In practice, this means that any organization that stores and handles personal data related to EU citizens need to ensure GDPR compliance. Accounts payable departments must secure that solutions and processes align with GDPR requirements protecting personal data that might reside on invoices and systems in use.
The definition of GDPR
The GDPR states the type and amount of personal data that a business can collect and process about an individual or ‘data subject’ in law terms. It also includes rules around how long to store data and the individual’s right to their data.
Businesses need to respect several key rules including:
- personal data must be processed in a lawful and transparent manner
- have specific purposes for processing the data, and you must indicate those purposes to individuals when collecting their personal data.
- collect and process only the personal data that is necessary to fulfill that purpose
- ensure the personal data is accurate and up-to-date
- ensure personal data is not used for other purposes than the original purpose of collection
- ensure that personal data is stored for no longer than necessary for the purposes for which it was collected
- install appropriate technical and organizational safeguards that ensure the security of the personal data
Personal data includes any information that can be connected to a living individual. This info consists of the obvious details, such as name, email address and phone number, but it also can refer to information about the individual’s website browsing behavior, cookie ID, and location identified via a mobile phone or web browser. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
The GDPR is technology neutral and applies to both automated and manual processing of personal data. The storage method for the data also does not matter – in an IT system, through video surveillance, or on paper. In all cases, personal data is subject to the protection requirements set out in the GDPR.
What is the impact of GDPR on accounts payable?
Whether done manually or digitally, the GDPR compliance impacts AP. Even if accounts payable teams traditionally don’t manage large databases of personal data, there will be data points in the accounts payable process that falls under the GDPR legislation. These are just a few examples:
- Invoices that contain a contact person name and/or contact details, either with the supplier or buying organization
- User details (name, email address, phone number, etc.) for internal users of the AP invoice automation solution
- Comments made in the AP invoice automation solution regarding an invoice that may include personal data
It is critical for businesses to review all internal processes, including accounts payable, where personal data is touched and ensure actions are taken to process this data in accordance to the new legislation. Non-compliance with the GDPR may, in fact, be very harmful to a company’s financials, and ultimately survival. An organization in breach of GDPR laws will be fined up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is larger.
How can we ensure compliance with the GDPR?
One of the key elements of the GDPR is the individual’s right to their data, including the right to access and rectification. You need to be able to extract and share all personal data the organization process on an individual upon their request. You must also change any incorrect data you hold on a person upon their request. Also, the GDPR sometimes include a data subject’s right to be forgotten – meaning permanently delete all personal data you hold on a person upon their request.
For accounts payable professionals this requires having the tools, policies, and processes in place to meet these types of data access, rectification or deletion requests from an individual.
Four actions to help AP teams be compliant with the GDPR
- Contact your AP solution provider(s) to discuss how they support your GDPR compliance.
- Make sure to sign a separate “Data Processing Addendum (DPA)” with the provider of solutions where personal data may be processed by the provider on your behalf.
- Ensure you have internal processes in place for how to access, rectify and delete any personal data that sits in the system(s) when requested by a data subject.
- Implement internal policies for how personal data is handled within your organization and make sure that everyone is informed about the new legislation.
The GDPR launch date is approaching quickly and it will for sure affect organizations across regions and departments. It is critical that AP professionals at all levels understand what the new legislation implies for their role to ensure compliance both when using systems and in the day-to-day invoice processing management.
Note: this article is not intended to construe legal advice or offer comprehensive guidance.