GDPR applies to all personal data regardless of how it is stored. This means that businesses which store personal data on paper records still need to make sure that they are GDPR-compliant.
With this in mind, there are a number of things that your businesses should understand in relation to their paper documents, to ensure your business is compliant.
Blog Contents:
What is GDPR?
GDPR stands for General Data Protection Regulation and is a comprehensive data protection law that was implemented in the European Union (EU) on May 25, 2018.
GDPR aims to provide individuals with better control over their personal data, protecting their rights across the EU. The GDPR applies to any business that uses personal data of people within the EU, no matter where the business is located.
Only store data as long as you need
A lot of the practicalities of GDPR stem from this simple principle. For example, to follow this rule, you need to know what data you have and why you have it. You also need to know where it is stored. In other words, you need to practice robust document-management.
GDPR does not specify any time limits on how long data may be stored. It is, however, important to recognise that the onus is on the data controller to show that the data is needed. They also need to be aware that this need could potentially be challenged at any time.
Check statute periods
One of the interesting features of law in the UK is that different parts of the UK may have different statutes of limitation. What’s more, these statutes are subject to change, albeit usually with a decent notice period. Depending on the nature of your business, this could have implications for your data-retention process.
Post Brexit, UK companies may need to use Standard Contractual Clauses (SCCs) to continue to receive personal data from the EU/EEA. This is, however, still subject to negotiation.
Which data can you maintain?
As was previously the case, keeping all of your documents just in case you may need it at some point in the future is no longer something that businesses can do. You should now be aware of what data you have within your possession, using the new regulations to decide upon which data to keep and how to categorise it.
The first thing to consider is whether or not you are aware of the different documents and information that are within your possession. If you are, then you will be able to sort the documents and comply with the new rules that are set to come into place. However, if you aren’t aware of everything that is in your possession, then how will you be able to comply with a set of rules that apply to the specific documents that you are unable to locate?
Although both paper and electronic documents are included within the new rules, electronic documents are typically more organised and easier to find than paper documents. Because of this, you should consider conducting an audit of the information you have, locating each document and ticking it off as and when you know you have it. As part of this, you should find out how many copies of each document you have and collect them all into one place.
Secure data securely
Safe-storage for documents is rather different from safe-storage for electronic data. The main difference is that electronic data can be easily encrypted. Theoretically, data on paper can also be encrypted but this isn’t very practical in the real world!
When it comes to paper, “safe storage” effectively means protecting the data against both environmental threats and security threats. Environmental threats will vary by location but fire and water damage should generally be considered wherever you are.
Security threats are managed by robust access controls. This means more than just keeping the documents under lock and key. It means establishing a secure chain of custody. Any time a document is accessed for any reason, the fact should be recorded, even if the document is not changed.
How private is your document storage?
Data breaches, including documents and other data getting into the wrong hands, are a big focus of the GDPR. Privacy of data has become a very current issue, and so the way in which paper documents in particular are stored and transported is a big part of the GDPR, and one that should not go unnoticed.
How can you remain GDPR compliant after the deadline?
Manage Data Requests
To comply with GDPR you need to have a clear understanding of how and where data is held within your business, so it might be worth considering using an IT tool to help you with this. You can then go through a form of data mapping to tell you the location and format of the data and how it is transferred between applications.
When you transfer data, you need to put measures in place that protect that data to maintain confidentiality. You can use forms of network protection to protect against attackers intercepting data and encryption to be sure it cannot be read. This could include Virtual Private Networks, disabling at-risk protocols and supporting private connections between data centres.
Control Data Management
It is believed that as much as 90% of the world’s data has been generated in the last two years alone, so you need to be sure that you have effective management tools that let you uncover hidden data and spot risks. This covers many different elements of GDPR compliance should you be required to demonstrate how you work.
One new rule that GDPR brought in related to how businesses respond to a data breach. Should anything occur, you are required to inform the ICO within 72 hours, which can prove tricky when some breaches of data have taken months to uncover. That is why effective software is necessary to help you become aware of any problems as early as possible. These tools can monitor the environment and create an alert when an anomalous event occurs.
Asset Tracking
To effectively protect data, you need to be able to identify your assets, track them and determine the correct level of protection needed. Businesses should consider tools that help them to do this by creating inventories of assets and assigning ownership of them. When you have defined the acceptable use of those assets, the technology can help you to enforce those rules, track the assets and return them at the appropriate time.
It is vital to make sure that you remain GDPR compliant all of the time, not just for the deadline, and putting the correct IT solutions in place can help to take away some of the headaches that this creates.
Consider document shredding for destruction
Shredding documents effectively (and legally) can be a lot more complicated in practice than it sounds like it should be. Firstly, documents need to be cross-cut to an appropriately small size. Secondly, a lot of standard documents will have some form of binding, such as staples, paperclips or spiral rings.
Buying a shredder which can deal with these is expensive. What’s more, any shredder powerful enough to cope with this kind of work is likely to be both very large and very noisy. If you’ve ever walked past a mobile shredding truck in operation, you’ll have had a chance to appreciate just how noisy they can be.
This is often reason enough just to use a third-party shredding service. The bonus of doing so is that you get written proof of the fact that you have disposed of the documents in a GDPR-compliant manner. This can come in very useful if you are ever audited.
Ensure your employees are trained
Employees help to ensure that business runs smoothly, but they can also sometimes be a reason for issues to arise, and this is never good for any business owner or members of management teams. To ensure that your business doesn’t create any issues, full training and support sessions should be considered for employees throughout the business so that your employees are well educated around GDPR and document storage.
Is your business GDPR compliant?
Whether you’re a Charity, Salon or Bank, if you feel you could benefit from help and advice from an off-site storage facility, we can help! Get your documents in order with our range of document storage and document management services.
Feel free to get in touch with our team. We can explain in more details the service and benefits you would receive as well as the different types of documents you can store in our security facility.