GDPR - how to make sure paper doesn't prevent you from complying
Working with digital files has always been an option as opposed to working entirely with paper documents. Unfortunately, over the years other priorities might have taken precedent over a paper-lite agenda. With GDPR looming, is now the time to take the leap?
This article considers 5 points as to why an entirely paper based document management process makes GDPR compliance challenging.
Can we find the paper documents we need quickly and easily?
With GDPR, the 'right to erasure' (also known as the 'right to be forgotten') allows individuals to request deletion or removal of personal data you hold about them, if there is no longer a compelling reason for you to retain it.
How long would it take you to find all the data for a particular customer held in paper files? Do you even know where it all is? Is it in the main office, in multiple offices, in managers' offices, or stored externally? Are you even sure you still have it? All this searching is incredibly time consuming and costly - and you'll never be sure you have found everything you need to remove or delete.
There's a deadline of one month to action all data requests (including 'right to erasure' requests). So if you can't easily find specific records and data in your paper files, you could find it hard to comply with this important GDPR requirement.
With an Electronic Document Management System (EDMS), there's no such problem - all your digital files can be clearly catalogued and indexed, making them easy to find at the touch of a button. If you need to archive your documents, use professional providers, such as Restore Records Management.
It's always worth taking a bit of time to think through the most logical way to index your digital files. At Restore Scan, our digitisation service includes a cataloguing service to help define the best way to index everything for easy retrieval later on.
Are there multiple copies of paper documents on file in different areas?
It's so easy for paper documents to lead a double or triple life. The greatest threats to even the most secure data storage policy come from duplicated copies left on a photocopier or printer, insecure document disposal, and removal of documents from the office.
Human handling of paper documents (and human error) can result in a complete lack of document control, exposing your business to GDPR breaches and infringements.
However, in a paperless office, there's only ever one single digital copy of each document - stored centrally in your Electronic Document Management System (EDMS), with instant easy access from any location. This avoids the need to make copies of documents if different departments need them, or if you need to access them outside the office. An EDMS can also be set to 'read-only' access - preventing staff from downloading, printing or making any copies of documents.
Are the paper documents stored securely?
Privacy and security of personal data is a key part of GDPR. Copies of paper documents can easily get into the wrong hands, often by accident - for example, an individual leaves sensitive paperwork on a train, a courier loses an archive box of paper files, or a staff member has paper documents stolen from their car.
These are real world situations where paper documents can easily get into the wrong hands, leading to a breach of GDPR.
With digital documents stored in an Electronic Document Management System (EDMS), mobile devices - such as laptops, tablets and phones - are protected by strong passwords preventing unauthorised document retrieval in the event of loss or theft. And as soon as the loss is discovered, access from the device can be easily revoked, providing total protection.
How do we manage data retention periods with paper documents?
GDPR states: "Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed".
How do you currently manage the retention periods for your paper files? What happens if there are multiple copies of paper documents held in different areas of the business?
And it gets even more complicated if different types of documents stored within the same paper file have different retention periods. For example, if pension or legal documents are kept in an employee's main HR file and the employee leaves the company, the generic personnel information and pension/legal documents may have different prescribed retention periods.
Transitioning to paperless is a journey that needs to be approached one step at a time, commencing with a solid strategy and well-defined goals.
Paul Moonan, Managing Director, Restore Scan said: "If you can't be sure that all retention periods are being correctly controlled and complied with, this could easily lead to a GDPR breach."
An Electronic Document Management System (EDMS), can easily be configured to apply different retention periods by document type. This allows easy management of multiple retention periods without the need for multiple paper files. Data controllers simply assign the correct retention periods for each document, folder or file, and the system does the rest automatically.
Do we know what's in our archive boxes stored in the basement or off-site?
Traditionally, paper records due for archiving are placed into archive boxes and sent to the basement or off-site. If you're storing documents off-site, be sure to use professionals for paper archiving. Restore Records Management ensure your data is correctly identified, barcoded and registered onto a database to ensure complete traceability.
"Creating an accurate list of the content of your archive boxes so you can identify where personal data is stored is the first step to GDPR." Martin Fiddler, Information Security & Compliance Manager, Restore Scan
Having an accurate list of the content in your archive boxes will help you identify where personal data is stored - this is the first step to GDPR.
As part of our document digitisation solution, we will catalogue your files and give you an accurate end-to-end information audit, upon which you can make the appropriate decision for each individual document: confidential destruction, archive solutions or digital transformation.