GDPR Statement

General Data Protection Regulation May 2018.


The GDPR is the largest change in data protection law since the introduction of the EU Data Protection Initiative in 1995. The aims of the GDPR are simple; improve the security and protection of personal data. The new regulations replace the previous Data Protection Directive and ExpenseIn welcomes this change. Protecting our customer’s data is of the utmost importance to us and we confirm that when the changes come into effect May 25th 2018 ExpenseIn will be compliant with the new legislation and all laws relating to it.

The GDPR will bring a number of significant changes to the current Data Protection Initiative including but not limited to increased territorial scope, strict penalties for failing to meet GDPR requirements and the strengthening of the conditions for consent. In addition, the rights of data subjects have been substantially improved and as a result now have the right to access data, request data be removed and that they be notified within 72 hours of a known data breach.

How is ExpenseIn preparing for the GDPR?

Dedicated GDPR committee

Chaired by our Data Protection Officer, ExpenseIn has setup a GDPR committee to monitor and assess the full impact of the GDPR as well as ensuring full compliance with the upcoming GDPR regulations.

Privacy impact assessment

ExpenseIn is performing an updated privacy impact assessment to identify the most effective way to meet GDPR compliance and ensure full transparency with all of our customers.

Policy and contracts review

ExpenseIn is undertaking a review of all internal policies as well as supplier and customer contracts to ensure GDPR compliance is maintained throughout.

Enhanced security features

Over the coming months we will be adding a number of enhanced security features including multi-factor authentication (MFA), transparent device management and increased password control.

Compliance throughout

ExpenseIn only engages with suppliers who share our commitment to security and data protection. By working with leading providers such as Amazon AWS and SagePay we ensure that our entire service meets the levels demanded by both the GDPR and our customers.

Frequently Asked Questions

Who does the GPPR apply to?

It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.

What are the penalties for failing to comply?

Companies can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of privacy by design concepts.

What constitutes personal data?

Any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Does the GDPR require personal data to stay in the EU?

No, the GDPR does not require personal data to stay in the EU however, all companies processing EU personal data, whether inside or outside the EU, must comply with the GDPR.

Where can I find our more about the GDPR?

We recommend taking a look at the guide produced by the Information Commissioner's Office which details a host of useful and detailed information on the GDPR.

Further reading...

You can find more details about our data protection and privacy control within our Privacy Policy. In addition, why not check out our Platform Security.

If you would like to speak to a member of our team regarding our committment to security and data protection please contact us and we will be happy to discuss this with you.