In May 2018 the GDPR – General Data Protection Regulation will come into force throughout the EU and will replace the UK’s current Data Protection Act.
This will have a major impact on the way businesses manage data, organisation should take steps now, to prepare and ensure compliance to avoid hefty fines.
GDPR may have been designed to account for new technologies, the increased threats of cyber-attacks, data breaches, and server hacks, your companies’ paper documents are just as important to safeguard to ensure compliance with this legislation.
If you have any of the following documents in paper format you will need to comply with GDPR:
- HR files
- Client data
- Medical files
- Personal files
To help your organisation comply with some of the key components of the GDPR, we have put together some easy to follow steps that you can take now to ensure your paper documents and records adhere:
1. Can you find all the information you need?
The right to erasure (the right to be forgotten) gives an individual the right to request the deletion or removal of any personal data you hold when there is no compelling reason for its continued processing.”
Before you can de-identify or delete information you need to be able to find it.
If you can’t find this information in your paper documents, then how can you comply with the GDPR?
Can all your key people answer the following questions?
- How long would it take you find information stored in paper files?
- Do you know where it is?
- Are you even sure you’ve still got it?
Steps to take now:
- Identify the departments and functional areas most likely to create and store records containing personally identifiable information (PII)
- Prioritise documents, and records for scanning, and arranged secure offsite storage for the original paperwork.
- If you’re unable to store all paper documents, and records off-site in secure units, implement and enforce a clear filing and identification system.
- Ensure documents and records are clearly labeled with non-sensitive information, then secure them in box files, and lockable cabinets.
- Clearly define and communicate to your staff, everyone’s access rights and accountability.
Remember, searching for paper documents is incredibly time-consuming and very costly!
2. Do you know how many copies and versions of your documents exist?
The 2015 Privacy and Security Enforcement tracker report from PwC revealed that many European data security incidents that incurred penalties, was a result of human error in the handling of paper documents.
It’s easy for paper documents to lead a double or triple life.
Human handling of documents can result in a complete lack of document control, which exposes your organisation to data breaches.
- Multiple photocopies
- Copies left on printers
- Unauthorised removal of documents from the office
- Copies on unencrypted devices; USB sticks, CD’s DVDs
- Copies left in office desks drawer, or home office environment
- Insecure disposal
Steps to take now:
- Implement information management policies and processes
- Communicate to all employees how to manage information securely, and provide them with regular training and support.
- Ensure every employee understands what constitutes private or confidential data and how to handle it.
3. Can you keep your documents private?
The GDPR requires privacy of data to be a key consideration in how information is produced, managed and disposed of.
Paper documents can easily get into the wrong hands, and cause a data breach.
- An employee or associate leaves sensitive paperwork on public transport
- A member of staff has files stolen from their vehicle
Remember, the transportation of data especially in paper format should be seen as a threat to information security if they get into the wrong hands.
Steps to take now:
- Make it difficult, if not impossible, for unauthorised people to access or make copies of documents that contain personally identifiable information.
- Review and revise where necessary information storage, retention and destruction processes, with privacy requirements in mind.
4. Are you managing document and record retention?
GDPR emphasis personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed.
Organisations must, therefore, ensure personal data is securely disposed of when no longer needed, reducing the risk that information will become inaccurate, out of date or irrelevant.
Steps to take now:
- Organisations should be treating the implementation of the GDPR as an opportunity to implement, revise and update their data retention policies.
Remember, the GDPR states “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
It’s clear from that making your paper records adhere to the GDPR guidelines by 25 May 2018 is going to be a complicated and time-consuming task.
There is, however, an easier and cost-effective way to comply and facilitate a paperless way of working;
- Digitising or scanning your paper documents
- Encryption of your data
- Managing your documents online with a controlled document management systems such as CloudEQMS
Working with digital images has always made more sense than working with paper.
With the GDPR deadline looming, it now makes more sense than ever to adopt a paperless strategy.
Scanning, and encrypting your documents, and working with them digitally puts you in complete control.
It gives you immediate and controlled access to the documents you need.
Search is easy and document security becomes locked down to only those people who need relevant access.
A complete audit trail comes as standard with retention periods being controlled from day one.
Fears of a data breach and GDPR penalties can become a thing of the past.
Contact us today to arrange a free consultation.
Tel: +44 (0) 117 9374712