The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The regulation is designed to protect the personally identifiable information of EU citizens by introducing a set of consistent standards for data protection, improving the way businesses with customers in the EU approach data protection. Non-compliance can result in fines of up to €20million or 4% of their annual turnover (whichever is greater).
Organisations will need to comply with new regulations to modernise the way they capture, process, use and store their customers’ personal information. This will include adopting ‘privacy by design’, creating a ‘culture of accountability’ and establishing clear policies and procedures such as data retention, data encryption, GDPR sympathetic business to business contracts and employee awareness.
The geographical scope will become wider and customer rights will be enhanced. Getting ready for GDPR is a company-wide responsibility and the correct approach to data protection should become an intrinsic part of an organisation’s day-to-day business processes.
How does this affect the Accounts Payable department?
The Accounts Payable department deals with very sensitive customer information including identity and bank account details. If this information were to fall into the wrong hands, the results could be catastrophic, so operating in compliance with GDPR is paramount.
Under GDPR, Accounts Payable are responsible for:
1. Storage & Archiving
You must keep a well-managed archive of paper and electronic invoices. This can be difficult if invoices are kept/saved in various locations such as filing cabinets, warehouses, computer desktops, databases etc.
You must also ensure that records are stored securely to prevent inappropriate access to sensitive data. Archived records and documents MUST remain unchanged and untampered, and be securely destroyed after a set retention period.
2. Right of Access
You must provide customers or suppliers with records of their personal data when requested, so that they are aware of and can verify the lawfulness of the processing. The information must be provided using “reasonable means” (in a format they can read and reuse) and within one month of receipt of the request.
3. Keeping Accurate Records
You will be required to keep internal records of data processing and provide a full audit history of all records kept, on demand from either a data subject or a governing body such as the ICO.
4. Deleting & Removing Records
Under the new rules an individual has the rights to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
On request, every piece of relevant data held on a customer or supplier must be removed in a way that doesn’t impact other records.
5. Data Breach
You are required to disclose any personal data breaches and inform your Supervisory Authority (SA) within 72 hours of detection. Once a breach has been identified, organisations must immediately assess what data was taken. Where the risk to the rights and freedoms of the individual is deemed “high”, they must also be notified.
When reviewing how you currently work, you should ask yourself these questions:
- What is the nature of the documents you hold?
- Do they include personal identifiable information?
- Can you easily find a document?
- How long do you keep documents and why?
- Is it all in one location?
- Is the data accurate and up to date?
- Do you know how many copies exist?
- Can document access be restricted?
- What data security provisions do you have?
- Can I transfer my physical documents into secure data?
Complying with GDPR will help ensure accounts departments adopt and adhere to the far more stringent data protection standards being introduced and this change in focus may completely alter the way an accounts department operates within an organisation. Typically, the accounts department is where the most significant amount of sensitive data will be handled and as such it will be the area most susceptible to the largest fine, should a breach occur.
To tackle the changes brought about by the GDPR, identification, reporting and notification systems must be implemented to quickly to tackle breach issues as soon as they happen. In practice, the risks of breach may be mitigated by employing automated systems and processes, such as an invoice processing solution, which can simplify and streamline processes by removing manual data entry, eliminating human error and providing the all-important audit trail. When used in conjunction with a document management system, this would ensure that documents, invoices and records are stored securely and deleted securely, and searched and retrieved quickly.
There is a real opportunity here for an accounts department to help drive the organisations journey to GDPR compliance by ensuring the adoption of best practice, the implementation of good process / procedure and the introduction of sympathetic data management systems, based on the guidelines provided by the GDPR.
If you would like to know more about how your organisation can get ready for GDPR, we can help with everything from advice to a full business audit. Email firstname.lastname@example.org for more information.