GDPR and Accounts Receivable


The General Data Protection Regulation has been a hot topic of late.

Designed to empower and protect individuals, with regard to their data, the GDPR places considerable onus on businesses to improve data handling. With the regulation now in place, Accounts Receivable teams have had to get up to speed with all its requirements ahead of the 25th May deadline.

As a regulation, GDPR requires ongoing commitment to a set of data-handling requirements. These requirements are spelled out clearly in the dedicated official documentation on the ICO website, but can be considered broadly to cover:

  • Purpose limitation
  • Security
  • Fairness and transparency
  • Confidentiality
  • Accuracy and integrity
  • Data minimisation and storage limitation
  • Lawfulness

These are all good common sense considerations when you stop to think about it. In fact, many businesses have had policies in place for years covering aspects addressed here. Indeed, the EU Data Protection Regulation required businesses to address security, confidentiality and transparency as well as broader legal responsibilities and onus for the handling of individuals’ and other legal entities’ data.

GDPR considerations for Accounts Receivable

Accounts Receivable teams rely on personal data. Invoices and related communications simply cannot be sent without this. From a GDPR perspective, the legal basis for handling and using personal data in communications stems from the lawful basis of contract. Although, many businesses have taken additional steps, of late, to gain consent as a lawful basis. Strictly speaking, this isn’t a GDPR requirement though, as long as AR communications and data handling only concerns data relating to the scope of the business’s contract with each individual.

While much of the conversation around GDPR focusses on legal basis for handing and storing data, or using this in marketing, the bigger picture extends to the practices in place for storage, communication, data-review and security.

Broader GDPR-compliant frameworks for data within the business need to absorb the needs of the billing data. Given the frequency and necessity of Accounts Receivable communications to connect to their customers, there exists an excellent opportunity for businesses to comply with requirements around accuracy, integrity and transparency.

E-billing and e-invoicing platforms, such as Corcentric, can allow customers to self-serve their access to, and permission to update, data held about them. One common scenario could be the updating of address, or other contact details, via a secure online portal. Businesses can use the Corcentric platform to improve transparency in what data is being held on each customer and allow access to improvement of accuracy and integrity.

GDPR security requirements for Accounts Receivable

The GDPR regulation sets out areas for security consideration, with the intent of maximizing the security of data handled by the business. While specific audit and ownership of security requirements needs to be taken into account, industry standards such as ISO 27001:2013 compliance provide an excellent framework for many aspects of security compliance with GDPR.

At Corcentric, we take the security of document distribution, and the data contained within these, extremely seriously. Aside from being ISO 27001:2013 compliant, the Corcentric platform provides a variety of functions to improve the security of data handling and distribution. You can find out more about our security functions on this page.

GDPR and outsourcing

When working with an outsourced provider for AR services for e-billing/e-invoicing, it is important that you establish the correct legal framework for GDPR compliance. This requires recognition of the transfer of customer data between the primary business (the Data Controller) and the outsourced partner (the Data Processor). Documentation of commitments and responsibilities is also required to become compliant with the regulation.

Outsourcing e-invoicing and e-billing to a GDPR-compliant partner, such as Corcentric, can assist with an ongoing commitment to GDPR compliance. An expert partner should be able to support customer access to their data, deletion of old data and security throughout the whole process.

Corcentric’s commitment to GDPR

Corcentric is fully GDPR compliant in the handling of data on behalf of all our clients. This compliance extends to support each client in their own requirements to comply with GDPR.

Through the Corcentric portal, our clients’ customers have the ability to see what billing data is held on them and make changes to contact data and modify communication – all through a highly secure online portal.

Feel free to get in touch with us to discuss how Corcentric can assist with GDPR-compliant e-billing/e-invoicing.