A practical guide to GDPR-compliant invoicing
When people think about GDPR, they usually think about marketing emails and cookie banners. But invoices contain personal data too – names, email addresses, business addresses, and sometimes banking details. If you’re handling invoices, you need to handle them in a GDPR-compliant way.
What personal data do invoices contain?
A typical B2B invoice includes several categories of personal data:
- Contact details – names, email addresses, phone numbers
- Business addresses – which may also be personal addresses for sole traders
- Financial information – bank details, VAT numbers, payment references
- Transaction history – what was purchased, when, and for how much
Under GDPR, all of this data needs a lawful basis for processing, appropriate security measures, and clear retention policies.
Lawful basis for processing
The good news is that invoice processing almost always falls under “legitimate interest” or “contractual necessity” – you need to process this data to fulfil a business transaction. You don’t typically need explicit consent to send or receive an invoice.
However, you do need to be transparent about how you handle this data. Your privacy notice should mention invoice processing, and you should be able to explain what data you hold and why.
Retention periods
Here’s where it gets tricky. GDPR says you should only keep personal data for as long as necessary – but tax regulations in most countries require you to retain financial records for 6–10 years. In the UK, HMRC requires records to be kept for at least 6 years.
The practical approach is to retain invoices for the legally required period, then delete them. Make sure this policy is documented and consistently applied.
Security measures
GDPR requires “appropriate technical and organisational measures” to protect personal data. For invoicing, this means:
- Encrypting invoice data at rest and in transit
- Restricting access to invoice data on a need-to-know basis
- Using secure channels for transmitting invoices (not unencrypted email)
- Maintaining audit logs of who accessed what and when
Subject access requests
Under GDPR, individuals have the right to request a copy of all personal data you hold about them – including invoice data. You need to be able to locate and export this data within 30 days. If your invoices are scattered across email inboxes and desktop folders, this becomes extremely difficult.
A centralised invoicing platform makes subject access requests straightforward – all data for a given contact is in one place, searchable and exportable.
Keep it simple
GDPR compliance doesn’t have to be complicated. Use a secure platform, document your retention policy, restrict access appropriately, and make sure you can find data when you need to. That covers 90% of what most businesses need to do.