GDPR compliance: what it means for your global business e-archive
Some of the biggest business buzzwords of 2017 are without a doubt tied to the themes of privacy, integrity and personal data protection. Rightly so; these are important considerations for any organisation, and with the entry into force of the EU General Data Protection Regulation (more commonly referred to as GDPR) looming only 6 months away, it’s more important than ever to formally comply with the burdensome requirements in this domain. Much can be said about GDPR compliance, and this post isn’t intended to go into detail on the intricacies of that subject in general – but rather to shed some light on the impact that the GDPR inevitably will have on your global e-invoice archive, or any other archive of business critical e-documents for that matter.
Why is GDPR of relevance for archiving business documents like invoices – surely it only targets personal data?
That’s correct, the scope of application is indeed personal data – but can you guarantee that your business documents don’t include any personal data, even occasionally? Take a B2B invoice for example – typically it would only include business relevant data such as product category, VAT rate, ship to location or currency, but there are common and important exceptions, such as the name of reference person(s) from the buying and/or selling organisation. B2C invoices by contrast, will almost always include personal data of the consumer.
Even in the case of the B2B invoice, that one little name of an individual is enough to trigger the applicability of the GDPR framework – and the risk of fines and penalties that go along with it. The amount of personal data you risk including in your e-archive grows even larger if you chose to rely on a Business Controls Based Audit Trail for the purpose of ensuring integrity and authenticity, since you as part of this method need to ensure you exchange and archive a substantial amount of surrounding business documents (orders, transport documents, bank statements etc) to make the content of the invoice semantically verifiable.
The bottom line of the GDPR – and its clash with tax/accounting law
To begin with, any entity needs legal grounds to process personal data, and those legal grounds can be several, for example: that you’re required by law to store something; that you have the consent of the data subject (the person whose name/data is being stored); or, which is important for many business document situations, that there is a “legitimate interest” to store the data. In almost all countries, accounting rules require good book-keeping, and, at least in all countries where indirect taxes exist, companies are obliged to store the invoice as proof of their right to deduct or their obligation to report the relevant tax. So far so good – companies are legally required to store invoices, which means that at least during the mandatory storage period, there is a clear legal ground for processing the data.
However, the fact that you’ve identified the legal ground for processing will not mean that you have it forever. Instead, the GDPR sets out the obligation for companies to regularly identify what data they process and for what purposes, as well as to delete data which they no longer need or no longer are permitted to store.
Consequently, sort-and-delete routines have become a key process to fulfil the data minimisation principle – which can be said to be one of the funding pillars of the GDPR – and are a complicating factor for most archives. From a birds-eye perspective, global e-invoice retention requirements vary a great deal: it may be as little as 5 years in one country, and as much as 13 in another. Certain sectors are sometimes subject to longer retention periods (e.g oil/petrol and real-estate). If litigation arises over a specific invoice, it should be possible to extend the storage period for that unique invoice for another couple of years while the proceedings continue.
So, what to do then…?
…a diligent, tax-compliant reader will ask. What it all boils down to is as simple as this:
Don’t store more than you’re allowed (or required) to, only store it for as long as you’re allowed (or required) to, AND make sure to store it properly and in line with local requirements.
Taking this principle from word to action, however, is not always simple. Over the years, we’ve seen excellent archiving systems, but we’ve also seen quite poor examples, which in essence can best be described as uncategorised, non-searchable pits of documents, a place where legacy invoices go to hibernate but are never actually deleted. In a post-GDPR world, this will never be considered as acceptable business behaviour.
Instead, it will be increasingly important that any global e-invoice archive not only ensures that the invoices remain securely archived during the legally established period, but also that it enables identification of the legitimate storage period on a country by country basis and allows deletion of invoices once that storage period has expired, in the absence of other legal grounds for continued processing.
Join our LinkedIn Group here or contact us now.
Filippa Jörnstedt, Legal Counsel and Anna Nordén, Chief Privacy Officer & General Counsel