• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Tipalti
  • Solutions
    • Accounts Payable AutomationEnd-to-end, invoice-based payments designed for growing companies
      • Supplier Management IconSupplier Management
      • Invoice IconInvoice Management
      • PO Matching IconPurchase Order Matching
      • Global Payouts IconPayment Remittance
      • Payment RecPayment Reconciliation
    • Purchase Order ManagementControl and visibility over corporate spend
    • Global Partner PaymentsScalable payment solutions for creator, ad tech, sharing and marketplaces economy
      • Supplier Management IconPartner Management
      • Global Payouts IconGlobal Payments
      • Fraud Detection IconFraud Detection
      • Self Billing IconSelf-Billing Module
      • Tax Compliant IconTax and VAT Compliance
  • Technology
    • Overview
      • The Tipalti PlatformGlobal, scalable, and fully automated
    • Features
      • Multi Entity IconMulti-Entity Architecture
      • Financial Controls IconFinancial Controls
      • Payment API IconPayment API
      • Secure Cloud IconSecure Cloud
      • AI IconPi Payables Intelligence
    • Integrations
      • ERP & Accounting
      • NetSuite
      • Sage Intacct
      • QuickBooks
      • Microsoft Dynamics
      • Sage Accounting
      • Xero Accounting
      • Performance Marketing
      • Custom Integrations
  • Why Tipalti
    • Overview
      • Why TipaltiA modern, holistic, powerful payables solution that scales with your changing business needs
      • Customer StoriesSee how we transform finance operations
    • Benefits
      • Accolades
      • Invoice-Based Workflow
      • Performance-Based Workflow
      • Benefits by Role
    • Additional Services
      • Currency Management
      • FX Hedging
      • Implementation Services
      • Supplier Enablement Program
    • Industries
      • Business Services
      • Software and Technology
      • Ecommerce and Retail
      • Marketplaces and Gig Economy
      • Video and Digital Media
      • Video Gaming
      • Financial Services
      • Online Services
      • Education
      • Healthcare
      • Advertising Technology
      • Affiliate and Influencer Networks
      • Manufacturing and Wholesale
  • Resources
    • Blog
      • The Financial Advisor BlogStrategy and trends in payments
    • Guides
      • What is AP Automation?
      • What is Self-Billing?
      • Compare Payment Methods
      • Future of Finance
      • Destination IPO
      • Payments Across Borders
      • The Total Guide to ERP Integration
  • Company
    • About Us
      • About Tipalti
      • Careers
      • Partnerships
      • Contact Us
    • Help
      • Support
      • FAQs
    • News & Events
      • Events
      • Newsroom
  • Login
  • Book a Demo
Get Started

How does GDPR Compliance Impact Today's Finance Teams?


We've paired this article with a comprehensive guide to accounts payable. Get your copy of the Accounts Payable Survival Guide!
Get the FREE guide
Home / Financial Operations Hub / GDPR Compliance

The finance team, located in a country outside the European Union, is part of its company’s compliance solution for the EU-enacted General Data Protection Regulation. GDPR applies to  personal data protection and data security for EU citizens and “habitual” EU residents.  Complying with the GDPR provides some challenges for the finance team. 

What is GDPR?

GDPR is a strict EU data privacy law, with penalties, that requires compliance to protect personal data processed by companies in non-EU locations that do business with European Union Member States residents. Financial services companies, including financial institutions, and payment service providers (PSPs), must also comply with GDPR. GDPR is General Data Protection Regulation. 

The free movement of personal data is allowed within the EU, without restrictions imposed by the GDPR. For organizations in EU Member States in Europe, Regulation (EC) No 45/2001, an EU law, applies instead of GDPR. But the GDPR requires that other Union legal acts be consistent with GDPR on personal data protection within the EU. 

What are Personal Data and Personal Data Breach in GDPR Compliance?

In GDPR Article 4 definitions, personal data is “any information relating to an identified or identifiable natural person,” referred to as a data subject. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

According to the GDPR definition, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

For personal data with personally identifiable information to apply to GDPR, it meets the following test. The personal data is processed by a data controller or data processor either automatically or manually if part of a filing system. 

Data subjects, according to the General Data Protection Regulation (GDPR), are citizens or “habitual residents” of EU Member States (countries). 

The data controller needs to give their regulator, the supervisory authority, a personal data breach notification within 72 hours of becoming aware of the personal data breach (or the reason for a delayed notification). The data processor informs the data controller about breaches that it observes. Article 33 of the GDPR describes what to include in a personal data breach notification. 

If the sensitive data breach is “likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” If the data controller meets certain conditions described in Article 34 of the GDPR, then the data subject doesn’t need to be informed of the personal data breach.  

What are Potential Penalties for Non-Compliance with GDPR?

Regulatory penalties for non-compliance with GDPR include damages incurred by the data subject, supervisory authority’s administrative fines, and possibly reprimands. Legal obligations for non-compliance with the EU’s General Data Protection Regulation can be substantial amounts. 

Data subjects can seek compensation from the data controller(s) or data processor(s) if they incur material or non-material damages connected with GDPR. To be liable for damages, the data controllers or data processors must cause the event.

Supervisory authorities can impose penalties, including administrative fines for infringements of specific provisions of the GDPR privacy law and non-compliance with a supervisory authority’s order, according to Article 83. The administrative fines are “up to 20 million EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover [sales] of the preceding financial year, whichever is higher.” 

For minor infringements of GDPR or if it would result in a “disproportionate burden to a natural person,” a reprimand may be issued instead of an administrative fine. 

GDPR Data Protection in the Payments and Financial Services Industry 

The GDPR adds some requirements to the financial services industry, including banks, other financial institutions, and payment service providers (PSPs) regarding informing data subjects, providing data portability rights and actions,  and issuing timely personal data breach notices.

From a payments service processing standpoint, the merchant is the data controller and the PSP is the data processor in the EU-issued GDPR law. The data subject is the customer and cardholder. Personal data is customer data, including personally identifiable card data. Payments service processors handle credit cards and other types of online payment methods used by customers to pay merchants. 

GDPR is as essential to enforce as other laws like the U.S. Congress-passed AML Act for anti-money laundering for the financial services and payment services industries. Financial services and payment processing companies are large-scale data processors with high-risk data processing activities subject to the full range of GDPR provisions and penalties. 

Does Your Company Need a Data Protection Officer (DPO)?

Enterprises engaged in economic commerce that do systematic and large-scale data processing need to appoint a data protection officer (DPO) to strategize and enforce the GDPR compliance. The requirement for a DPO  is not dependent on business size or employee headcount. 

How Does the GDPR treat Micro, Small, and Medium-sized Enterprises (SMEs)?

In general, according to Recital 13, micro, small and medium-sized enterprises must still comply with the GDPR. But GDPR makes it easier for these SMEs to apply some GDPR requirements, including record-keeping. Regulators are “encouraged to take account of specific needs of micro, small and medium-sized enterprises in the application of this Regulation.”

The GDPR exempts or relaxes rules (applies “derogation”) for some micro, small, and medium-sized enterprises engaged in economic commerce. These SMEs have fewer than a stated number of employees combined with an “annual turnover” (sales) ceiling and/or an annual balance sheet total ceiling in euros. 

Transform the way
your finance team works.

Bring scale and efficiency to your business with fully-automated, end-to-end payables.

Read more

An area of less strict SME application of GDPR is record-keeping requirements.

The ceilings for enterprises engaged in economic commerce by size are:

Enterprise SizeEmployee headcount fewer than Annual turnover (sales) in eurosAnnual balance sheet  total in euros
Medium250EUR 50 millionEUR 43 million
Small  50EUR 10 millionEUR 10 million
Micro  10EUR 2 millionEUR 2 million

How Does the Finance Team Comply with GDPR?

To gain compliance with the GDPR data protection law, businesses must have adequate systems to capture, track, manage, and secure the personal data of  EU citizens, inform them, and handle their requests for personal data captured by the system. The finance team should be aware that financial data includes identifiable personal data applicable to GDPR. 

Is it possible to track the time period for which the sensitive personal data is held to inform data subjects and comply with GDPR? Is the company’s data retention period adequate to fulfill future requests for protected personal data and in compliance with GDPR time limits?

The finance team is responsible for managing finance, financial implications, cash flow, and company-wide risk management. For finance, personal data can be included in customer data files handled by the accounting and CRM systems and in storing credit card details. 

Does a company policy exist regarding the handling and data security of personal data?

Does any personal data need encryption, anonymization, or pseudonymization to make sensitive data not personally identifiable?

Can customer data or other personal data be transferred at the data subject’s request to ensure that your business meets GDPR data portability and information security requirements?

Does your company know how to accept credit card payments over the phone correctly to comply with the GDPR and PCI-DSS requirements, not recording personal data and payment details? 

When considering how GDPR applies to your business, consider the  IAPP’s suggested risk mitigation strategy for complying with GDPR and protecting data subject rights and freedoms. The IAPP(International Association of Privacy Professionals) article includes locating and complying with any existing guidance on high-risk and large-scale data processing. 

When planning to undertake a new project putting data subjects personal data at high risk, the GDPR requires that entities conduct a Data Protection Impact Assessment (DPIA), for which a template prepared by the UK’s Information Commissioner’s Office is linked. (The UK is a former EU Member State).  

Finance should ensure that their entity collecting personal data from a data subject informs the data subject in clear and plain language on all of the points required by Article 13 of the GDPR. If the data controller decides to further process the personal data for another purpose later, the company needs to inform the data subject again before further data processing. 

A data controller or processor company’s requirement includes letting the data subject know they have the right to request having access to their personal data or have it transferred to a different data controller for data portability, request correction or erasure, object to processing now, or withdraw explicit consent later. The data subject must be informed they can make a complaint with a supervisory authority. 

Finance needs to ensure that their business has a data processing agreement (DPA) with all third-party data processors, as required by GDPR. 

Summary – GDPR Compliance and Finance Team Impacts

General Data Protection Regulation (GDPR), the 2018 EU data privacy law, provides data privacy and data protection for EU residents and citizens. GDPR is applicable in countries outside the EU Member States, which comply with similar requirements in other EU laws. 

For the financial services and payment service provider industries in eCommerce, GDPR is as essential to enforcing as other laws, like the U.S. Congress-passed AML Act for anti-money laundering. Financial services and payment processing services are large-scale data processors with high-risk privacy data subject to the full range of GDPR provisions and penalties. 

Finance teams in non-EU countries that participate in implementing GDPR compliance must understand the regulatory provisions and impact of GDPR on business operations and processing activities in its systems. 

Sensitive customer data processed as part of financial data is the personal data of data subjects, with privacy and security requirements regulated by GDPR. Adequate cybersecurity is part of GDPR compliance. 

The GDPR  personal information security,  data privacy, and data protection law generates new responsibilities and challenges for the finance team and the entire business relating to the processing of personal data of “habitual” EU residents. 

Primary Sidebar

RECENT POSTS

Vendor fraud schemes are one of the major challenges businesses face today. Fraud and billing schemes have ruined the financial fortunes of many, and have threatened the survival of some.
To effectively combat vendor fraud, organizations need to know how to identify them, practice due diligence, and establish effective internal controls.

Closing the books each month can be a tedious process, but it is vital to ensuring the financial health of your company. The month-end close can help you identify deviations from your financial plan early, so you can respond quickly. Conversely, it can uncover new opportunities for business growth, and drive strategies so you can exploit them.

Net 45 is an important credit term because it allows customers to pay 15 days later than the more common payment terms of net 30. Net 45 could give well-financed businesses a competitive advantage if they’re willing to take the risk and tie up their cash in accounts receivable longer or offer an early payment discount combined with the net 45 credit terms.

Footer

Solutions

  • Accounts Payable Automation
  • Global Partner Payments
  • PO Management

Capabilities

  • Overview
  • Supplier Management
  • Invoice Management
  • PO Matching
  • Self-Billing Module
  • Payment Reconciliation
  • Global Payments
  • Fraud Detection
  • Tax and VAT Compliance

Why Tipalti

  • Why Tipalti
  • Customer Stories
  • Invoice-Based Workflow
  • Performance-Based Workflow
  • Benefits by Role
  • Benefits by Industry

Technology

  • The Tipalti Platform
  • Multi-Entity Architecture
  • Financial Controls
  • Payment API
  • Secure Cloud
  • Pi Payables Intelligence

Resources

  • The Financial Advisor Blog
  • What is AP Automation?
  • Compare Payment Methods
  • Future of Finance
  • Destination IPO
  • Payments Across Borders
  • The Total Guide to ERP Integration

Company

  • About Tipalti
  • Careers
  • Partnerships
  • Events
  • Press
  • In The News
  • Media Kit
  • Support
  • FAQs

REGION

  • United Kingdom
    • North America
CONTACT US
LinkedIn Instagram Facebook Twitter YouTube
Tipalti Europe Ltd, Elm Barn Stert Road, Kingston Blount, Chinnor, OX39 4SB, Oxfordshire, United Kingdom. Registered in England & Wales, No.:12471817. Tipalti Europe Ltd is authorised by the Financial Conduct Authority as an Electronic Money Institution under the Electronic Money Regulations 2011. Our FRN (Firm Reference number) is 942778.
We Handled It.
Privacy Policy
|
Customer Assistance Policy
© 2010–2022 Tipalti Inc.