GDPR Compliance: What it Means for Your Global Business E-Archive

Filippa Jörnstedt
December 7, 2017

Some of the biggest business buzzwords of 2017 are without a doubt tied to the themes of privacy, integrity and personal data protection. Rightly so; these are important considerations for any organisation, and with the entry into force of the EU General Data Protection Regulation (more commonly referred to as GDPR) looming only 6 months away, it’s more important than ever to formally comply with the burdensome requirements in this domain. Much can be said about GDPR compliance, and this post isn’t intended to go into detail on the intricacies of that subject in general – but rather to shed some light on the impact that the GDPR inevitably will have on your global e-invoice archive, or any other archive of business critical e-documents for that matter.

Why is GDPR of relevance for archiving business documents like invoices – surely it only targets personal data?

That’s correct, the scope of application is indeed personal data – but can you guarantee that your business documents don’t include any personal data, even occasionally? Take a B2B invoice for example – typically it would only include business relevant data such as product category, VAT rate, ship to location or currency, but there are common and important exceptions, such as the name of reference person(s) from the buying and/or selling organisation. B2C invoices by contrast, will almost always include personal data of the consumer.

Even in the case of the B2B invoice, that one little name of an individual is enough to trigger the applicability of the GDPR framework – and the risk of fines and penalties that go along with it. The amount of personal data you risk including in your e-archive grows even larger if you chose to rely on a Business Controls Based Audit Trail for the purpose of ensuring integrity and authenticity, since you as part of this method need to ensure you exchange and archive a substantial amount of surrounding business documents (orders, transport documents, bank statements etc) to make the content of the invoice semantically verifiable.

The bottom line of the GDPR – and its clash with tax/accounting law

To begin with, any entity needs legal grounds to process personal data, and those legal grounds can be several, for example: that you’re required by law to store something; that you have the consent of the data subject (the person whose name/data is being stored); or, which is important for many business document situations, that there is a “legitimate interest” to store the data. In almost all countries, accounting rules require good book-keeping, and, at least in all countries where indirect taxes exist, companies are obliged to store the invoice as proof of their right to deduct or their obligation to report the relevant tax. So far so good – companies are legally required to store invoices, which means that at least during the mandatory storage period, there is a clear legal ground for processing the data.

However, the fact that you’ve identified the legal ground for processing will not mean that you have it forever. Instead, the GDPR sets out the obligation for companies to regularly identify what data they process and for what purposes, as well as to delete data which they no longer need or no longer are permitted to store.

Consequently, sort-and-delete routines have become a key process to fulfil the data minimisation principle – which can be said to be one of the funding pillars of the GDPR – and are a complicating factor for most archives. From a birds-eye perspective, global e-invoice retention requirements vary a great deal: it may be as little as 5 years in one country, and as much as 13 in another. Certain sectors are sometimes subject to longer retention periods (e.g oil/petrol and real-estate). If litigation arises over a specific invoice, it should be possible to extend the storage period for that unique invoice for another couple of years while the proceedings continue.

So, what to do then…?

…a diligent, tax-compliant reader will ask. What it all boils down to is as simple as this:

Don’t store more than you’re allowed (or required) to, only store it for as long as you’re allowed (or required) to, AND make sure to store it properly and in line with local requirements.

Taking this principle from word to action, however, is not always simple. Over the years, we’ve seen excellent archiving systems, but we’ve also seen quite poor examples, which in essence can best be described as uncategorised, non-searchable pits of documents, a place where legacy invoices go to hibernate but are never actually deleted. In a post-GDPR world, this will never be considered as acceptable business behaviour.

Instead, it will be increasingly important that any global e-invoice archive not only ensures that the invoices remain securely archived during the legally established period, but also that it enables identification of the legitimate storage period on a country by country basis and allows deletion of invoices once that storage period has expired, in the absence of other legal grounds for continued processing.

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.


Filippa Jörnstedt

Filippa Jörnstedt is a Regulatory Counsel at Sovos TrustWeaver. Based in Stockholm, Filippa’s background is in international e-invoicing compliance and global regulatory developments. Fluent in English, Italian, French, Romanian and her native tongue Swedish, Filippa earned her degree in Law from Lund University in Sweden.
Share This Post

North America Sales & Use Tax
June 1, 2023
3 Things to Remember if You Get a Sales Tax Notice

Have you ever received a sales tax notice from a state department of revenue? Whether you answered yes or no, there are important things to keep top of mind to help keep your business prepared. Finding out that you have failed to comply with one or more of your sales tax obligations can be startling. […]

North America Unclaimed Property
May 30, 2023
How to Set Up a Successful Unclaimed Property Program

Unclaimed property compliance can be difficult and overwhelming. Clients often ask what they should be doing to ensure they are compliant with the various laws and regulations. It isn’t easy, especially if you have multiple property types such as checks, credits or customer accounts that have the potential to become unclaimed property in multiple states. […]

North America ShipCompliant
May 30, 2023
How Hold At Locations Improve Your Customers’ Wine Delivery Experience

Direct-to-consumer shipping wine lovers enjoy the convenience of having their favorite vinos shipped to their front door. But what happens when, for whatever reason, they aren’t available to accept their wine deliveries? Whether they aren’t available during the day or they don’t have someone 21 or older available to sign for their package, these challenges […]

North America Sales & Use Tax
May 30, 2023
Identifying Sales Tax Liabilities and Why They Matter

By Steve Claflin, CLA It’s incredible that it has now been five years since the landmark Wayfair decision. It seems like just yesterday we were reading the case, alerting clients and tracking the ever-developing state guidance. Unfortunately, many companies still are not familiar with their sales tax filing obligations caused by economic nexus, or they […]

North America ShipCompliant
May 25, 2023
Out-of-State Breweries Gain Self Distribution, DtC Rights in Oregon

Under a settlement agreement, breweries located outside of Oregon now have more options for selling into the Beaver State, including direct-to-consumer (DtC) shipping and self-distribution to retailers. The settlement arose out of a lawsuit filed by a group of Washington breweries last year challenging Oregon laws that limited beer self-distribution to in-state breweries and DtC […]