Best practice


Guide: GDPR for Accounts Payable

You have probably heard about the European Union’s new General Data Protection Regulation (GDPR) that will enter into force in May of 2018. But do you know what the GDPR means in practice and how it affects your accounts payable process?

Here at Medius we take all questions on data privacy, security and transparency seriously and we’ve spent quite some time on understanding the new legislation and researching how our solutions and our customers will be impacted in their day-to-day invoice processing routines. In this blog post, we’re summarizing our findings to help you better understand what you need to do to ensure your AP organization and process are compliant with the GDPR.

What is GDPR?

In short, the GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

The GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.

Personal data includes any information that can be connected to a living individual. This includes the obvious details, such as name, email address and phone number, but it also can refer to information about the individual’s website browsing behaviour, cookie ID and location identified via a mobile phone or web browser.

Learn more about the GDPR on the EU Commission website.

How does GDPR affect Accounts Payable?

You might think that accounts payable would be unaffected by the GDPR since they don’t handle the large contact databases that you usually associate with privacy regulations requirements.

But in fact, regardless of whether you handle your vendor invoices in a digital workflow solution or in a manual paper-based process, you are most likely processing personal data that will be affected by the GDPR.

These are just some examples of personal data points in the accounts payable process:

  • Invoices that contain a contact person name and/or contact details, either with the supplier or buying organization.
  • User details (name, email address, phone number etc) for your internal users of the AP invoice automation solution your organization uses for invoice approvals and processing.
  • Comments made in your AP invoice automation solution regarding an invoice, particularly if it mentions, for example, the name and contact details of a supplier contact.

With these examples at hand, we advise you to review your current accounts payable process – including all systems in place to support it – and implement internal policies to ensure you comply with the GDPR.

Data protection

What you need to do to be compliant

The GDPR includes a data subject’s right to:

  • Access – meaning you need to be able to extract and share all personal data you process on a person upon their request.
  • Rectification – meaning you need to change any incorrect data you hold on a person upon their request.

The GDPR sometimes also include a data subject’s right to be forgotten – meaning you need to be able to permanently delete all personal data you hold on a person upon their request.

For accounts payable professionals this means you need to ensure you have the tools, policies and processes in place to meet these types of requests from a data subject.

These four steps will help you get started:

  1. Contact your AP solution provider(s) to discuss how they support your compliance to the GDPR.
  2. Make sure to sign a separate “Data Processing Addendum (DPA)” with the provider of solutions where personal data may be processed by the provider on your behalf.
  3. Ensure you have internal processes for how to access, rectify and delete any personal data that sits in the system(s) when requested by a data subject.
  4. Implement internal policies for how personal data is handled within your organization and make sure that everyone is informed about the new legislation.

Remember, the GDPR affects the entire organization on a global scale, so it is crucial that you make GDPR a company-wide matter and implement policies and processes across all regions and functions.

If you have any questions about how Medius can support your organization to meet the obligations related to the data subject rights under GDPR, please read our official statement regarding the GDPR.

Note: this blog post is not intended to construe legal advice or offer comprehensive guidance.

Kristin Widjer

Kristin Widjer

VP Legal, Medius