All About GDPR & Invoicing
Invoicing is a core, critical function of all business. Digital or not, the invoice to the customer is what makes business business and yes, it concerns personal data.
All invoicing, regardless of medium, requires us to keep certain fundamental pieces of information about our customers, be it in B2B or B2C scenarios. To illustrate this point, let’s break it down, starting with some basic data mapping.
Most basic invoices will include at a minimum:
- First name, last name
- Invoice mailing address
- Delivery address
The content of the invoice’s purchase is also relevant, as it provides extremely valuable profiling information to the business about a customer’s purchasing history.
So, is invoicing a thing under GDPR? Answer: Yes, absolutely.
The good news is that your business is probably completely legally justified to keep such data, and for the most part, it won’t have to go out of its way to change much. This is due to the legal basis that corresponds to these storage & processing activities.
If you think about it, there are two main purposes for the storage/processing of personal data with regards to invoicing:
- Rec.30; Art.7(1)(c), Compliance with legal obligations – since business’ are obligated to produce taxation reporting and keep financial records for a period of time. You’re well within your rights to keep a directory of past customers, their contact details and contact history. No explanation necessary.
“sales & marketing activities”
- For B2C, marketing related communications and data processing typically happens on the basis of an explicit opt-in consent. Your regular ‘Yes, please let me know about offers & special deals’ checkbox, on the checkout page. If you send marketing to your past customers, start by assuming you need this opt-in at the time of purchase, and make sure this is un-ticked by default.
- For B2B, the same marketing can happen on the basis of a legitimate interest. Legitimate interest means you can keep going about your business, no explicit consent necessary, as long as you explain exactly why you need to store & process this data (the justification). You still need to provide users the means to opt out (unsubscribe style).
At any rate, you need to take responsibility for the storage of this personal data, and make it known to your customers where their contact & purchasing information is stored, and under what circumstances.
Start by identifying your stores. Where and how are your customers’ data kept? Paper records? Email records? Excel spreadsheets? Your accounting software? Zervant?
In the case you keep your own data, explain what security measures you keep them under, and under what circumstances they are accessible. E.g. are they kept in Google Drive online in a folder that only you can access? Is it stored securely with PayPal or Zervant?
For Zervant, invoices are sent via email. Here it’s important to note that GDPR does not regulate email or any other technology used of one’s own personal choice.
At the end of the day, it’s about being respectful to your users and their rights. Be ready to answer the following questions from your curious customers:
- Can I get a copy of my purchasing history? Yes, you’re obliged to comply – so be prepared to send this to them in some form.
- I need to change my information. You probably already have a way to do this.
- Please delete my information and forget about me forever. As we mentioned, you are actually legally bound to keep invoicing information and you can tell them that. However, they might have a case to have additional information or ‘profiling metadata’ related to “sales & marketing activities” deleted. A frank, open discussion with the customer in this case with the goal of understanding their concerns is the best approach.
- How long will you keep my data? Again, this is connected to your legal obligation to keep the data.
With these steps you’re well on your way to staying afloat in the post-GDPR tsunami.
This article is part 2 of our mini-series on GDPR and small business – you can read part 1 here). It was written by Seb Nemeth, CEO and co-founder of Portyr. Portyr are building a platform for solving GDPR, by providing companies sensible ways to take meaningful and effective steps towards compliance.