GDPR Compliance: What it Means for Your Global Business E-Archive

Filippa Jörnstedt
December 7, 2017

This blog was last updated on October 18, 2019

Some of the biggest business buzzwords of 2017 are without a doubt tied to the themes of privacy, integrity and personal data protection. Rightly so; these are important considerations for any organisation, and with the entry into force of the EU General Data Protection Regulation (more commonly referred to as GDPR) looming only 6 months away, it’s more important than ever to formally comply with the burdensome requirements in this domain. Much can be said about GDPR compliance, and this post isn’t intended to go into detail on the intricacies of that subject in general – but rather to shed some light on the impact that the GDPR inevitably will have on your global e-invoice archive, or any other archive of business critical e-documents for that matter.

Why is GDPR of relevance for archiving business documents like invoices – surely it only targets personal data?

That’s correct, the scope of application is indeed personal data – but can you guarantee that your business documents don’t include any personal data, even occasionally? Take a B2B invoice for example – typically it would only include business relevant data such as product category, VAT rate, ship to location or currency, but there are common and important exceptions, such as the name of reference person(s) from the buying and/or selling organisation. B2C invoices by contrast, will almost always include personal data of the consumer.

Even in the case of the B2B invoice, that one little name of an individual is enough to trigger the applicability of the GDPR framework – and the risk of fines and penalties that go along with it. The amount of personal data you risk including in your e-archive grows even larger if you chose to rely on a Business Controls Based Audit Trail for the purpose of ensuring integrity and authenticity, since you as part of this method need to ensure you exchange and archive a substantial amount of surrounding business documents (orders, transport documents, bank statements etc) to make the content of the invoice semantically verifiable.

The bottom line of the GDPR – and its clash with tax/accounting law

To begin with, any entity needs legal grounds to process personal data, and those legal grounds can be several, for example: that you’re required by law to store something; that you have the consent of the data subject (the person whose name/data is being stored); or, which is important for many business document situations, that there is a “legitimate interest” to store the data. In almost all countries, accounting rules require good book-keeping, and, at least in all countries where indirect taxes exist, companies are obliged to store the invoice as proof of their right to deduct or their obligation to report the relevant tax. So far so good – companies are legally required to store invoices, which means that at least during the mandatory storage period, there is a clear legal ground for processing the data.

However, the fact that you’ve identified the legal ground for processing will not mean that you have it forever. Instead, the GDPR sets out the obligation for companies to regularly identify what data they process and for what purposes, as well as to delete data which they no longer need or no longer are permitted to store.

Consequently, sort-and-delete routines have become a key process to fulfil the data minimisation principle – which can be said to be one of the funding pillars of the GDPR – and are a complicating factor for most archives. From a birds-eye perspective, global e-invoice retention requirements vary a great deal: it may be as little as 5 years in one country, and as much as 13 in another. Certain sectors are sometimes subject to longer retention periods (e.g oil/petrol and real-estate). If litigation arises over a specific invoice, it should be possible to extend the storage period for that unique invoice for another couple of years while the proceedings continue.

So, what to do then…?

…a diligent, tax-compliant reader will ask. What it all boils down to is as simple as this:

Don’t store more than you’re allowed (or required) to, only store it for as long as you’re allowed (or required) to, AND make sure to store it properly and in line with local requirements.

Taking this principle from word to action, however, is not always simple. Over the years, we’ve seen excellent archiving systems, but we’ve also seen quite poor examples, which in essence can best be described as uncategorised, non-searchable pits of documents, a place where legacy invoices go to hibernate but are never actually deleted. In a post-GDPR world, this will never be considered as acceptable business behaviour.

Instead, it will be increasingly important that any global e-invoice archive not only ensures that the invoices remain securely archived during the legally established period, but also that it enables identification of the legitimate storage period on a country by country basis and allows deletion of invoices once that storage period has expired, in the absence of other legal grounds for continued processing.

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.

Author

Filippa Jörnstedt

Filippa Jörnstedt is Director of Regulatory Analysis & Design at Sovos and leads Sovos regulatory research across VAT and other indirect taxes globally. Based in Stockholm, Filippa’s background is in international trust and tax regulations, focusing on global developments in tax controls such as e-invoicing, e-reporting and e-signing requirements. Fluent in English, Italian, French, Romanian and her native tongue Swedish, Filippa earned her degree in Law from Lund University in Sweden.
Share this post

North America Sales & Use Tax
February 6, 2025
The Tariff and Sales Tax Mishmash – Untying the Mess

This blog was last updated on February 6, 2025 Talk of tariffs dominates the current news cycle with some commentators suggesting that tariffs will spell disaster for our economy while others say the exact opposite. We’ve seen the stock market sometimes fluctuate as tariffs are announced but later suspended, leaving us to wonder whether an […]

retailer dtc wine shipping
North America ShipCompliant
February 6, 2025
Retailer DtC Wine Shipping: The Time Has Come

This blog was last updated on February 6, 2025 By Tom Wark, Executive Director, National Association of Wine Retailers We are often reminded by the media and those in the wine industry—as well as by wine enthusiasts—that the three-tier system of alcohol distribution in most states hinders consumer access to the expansive number of wines […]

Montana 1099-DA
North America Tax Information Reporting
February 5, 2025
State Filing Alert: Montana’s New 1099-DA Requirements for Crypto Brokers

This blog was last updated on February 5, 2025 Reporting digital asset transactions on Form 1099-DA just got a little more complicated. For 2025 transactions, crypto brokers that file Form 1099-DA with the IRS will be required to file the 1099-DA with the State of Montana. This makes Montana the first state to introduce a […]

North America ShipCompliant
January 23, 2025
DtC Wine Shipping in 2024: A Year-in-Review

This blog was last updated on January 28, 2025 The direct-to-consumer (DtC) wine shipping channel faced a storm of challenges in 2024, navigating some of the toughest market conditions in over a decade. As inflation tightened wallets and consumer behaviors shifted, the industry recorded its steepest declines in shipment volume and value since the inception […]

Form 1099-DA Crypto Transactions
North America Tax Information Reporting
January 21, 2025
What is Form 1099-DA and How Does it Impact Crypto Transactions?

This blog was last updated on January 24, 2025 The IRS has released Form 1099-DA and its accompanying instructions for filing for TY 2025. Form 1099-DA is the newest IRS information return, designed for reporting digital asset proceeds from broker transactions and is required to be filed by brokers managing digital assets such as NFTs […]