GDPR risks for non US countries using Yodlee

PriyankaM_23

Hello All,

Currently Yodlee is activated for US, UK and Ireland Countries and our client wants to deactivate Yodlee for UK and Ireland due to GDPR risks.

Our client has asked below questions

1. Best Practices for GDPR Compliance Bring Your Own Card (BYOC)
• What are other companies doing to mitigate GDPR risks when using Concur with BYOC functionality?
• Are there recommended controls or configurations within Concur that help limit exposure?

2. Disabling BYOC by Country
• Is there a way to disable the BYOC feature outside of the US?
o For example, in our entity, we may need to disallow BYOC usage for employees in Ireland and the UK based on the GDPR risks.
• If this is not configurable per region, are there any workarounds or recommended alternatives?

3. Alternative Options to BYOC
• We understand we could restrict expense submissions to:
o Manual entry, or
o Use of company-issued credit cards only
• However, we’d like to know if there are other systematic options within Concur to achieve this outcome more cleanly.

4. Automatic Import of Personal Transactions
• Does enabling BYOC cause automatic credit card feed imports for all transactions, including personal expenses?
• Is there any way to control or limit what gets pulled into Concur from a personal card?

5. Employee Consent and Privacy Policy
• As part of the BYOC process, do employees explicitly acknowledge and agree to the data sharing?
• Is there standard language in Concur’s Privacy Policy or terms that clearly outlines:
o What data is collected
o Where it is stored/processed
o Whether there are international transfers involved?

Could you please review and provide us the best way we can handle this situation.

Appreciate your support in this matter!

Best Regards,

Priyanka

KevinD

@PriyankaM_23 the one thing I can answer for sure is that if you are using Concur Expense Professional, once the Yodlee feature is turned on, it cannot be turned off.

I don't know if Concur Support has a way of turning it off from the back end. You would need to contact Concur Support and ask if that is possible or not.

I'll answer as much as I can from your other questions.

3. Alternative Options to BYOC (using our ExpenseIt feature is faster than using the Yodlee option. ExpenseIt items are created within two minutes and already have a receipt attached. With Yodlee, the user must wait a few days for the transaction to post to their credit card)
• We understand we could restrict expense submissions to:
o Manual entry, or
o Use of company-issued credit cards only
• However, we’d like to know if there are other systematic options within Concur to achieve this outcome more cleanly.

4. Automatic Import of Personal Transactions
• Does enabling BYOC cause automatic credit card feed imports for all transactions, including personal expenses? - (Yes. All transactions on the card added to the user's profile will appear in the user's Available Expenses. The user must then delete out all non-business related charges. This is actually more work for the user.)
• Is there any way to control or limit what gets pulled into Concur from a personal card? - (Not that I am aware of)

For your last question about Consent and Privacy, I would suggest contacting Concur Support.

Thank you,
Kevin
SAP Concur Community Manager
Did this response answer your question? Be sure to select “Accept as Solution” so your fellow community members can be helped by it as well.