GDPR has had a major impact on the way data is managed and steps should be taken to prepare immediately. The consequences of failing to adhere to the GDPR are significant - data protection regulators will have the powers to impose fines up to £20,000,000 or 4% of the total worldwide annual turnover, so it's never been more important to put robust standards and procedures in place.
According to a UK government 2015 information security breaches survey, "90% of large organisations and 74% of SME's reported a security breach, leading to an estimated total of £1.4bn in regulatory fines." This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated, based on the maximum fine of 4% of global turnover.
GDPR focus is often placed on cyber security threats, server hacks, database vulnerabilities and data stored on and transmitted between servers and networks.
Often though, paper documents, paper records and files are being severely overlooked. These however should be ignored at your peril.
Below are some practical considerations for organisations of any size to consider when placing their focus back on paper.
1. Can you find all of the information you need?
The right to erasure (the right to be forgotten) states that "The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing."
If you can't find this information in your paper documents, then how can you comply with the GDPR? How long would it take you to find information stored in paper files? Do you even know where it is? Is it in the building? Is it in storage? Are you even sure you've still got it? All this searching is incredibly time consuming and costly.
2. How many copies of your documents exist?
It's easy for paper documents to lead a double or triple life. The greatest threats to even the most secure information storage policy include the duplication on a photocopier, increased copies on a laser printer, insecure disposal of the documents and removal of documents from the building. Human error and human handling of documents can result in a complete lack of document control and exposes your organisation to data breaches.
3. Can you keep your documents private?
Privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be a threat to information security. One small slip and it's too late - an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of staff has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands.
4. Are you managing your retention periods correctly?
Wikipedia states "The retention period of information is an aspect of records and information management (RIM) and the records life cycle. It identifies the duration of time for which the information should be maintained or "retained", irrespective of format (paper, electronic, or other)."
How do you currently manage the retention periods on your paper files? Employees regularly make printed copies of digital files, but if a digital file is destroyed and a paper version is sat in a folder somewhere then potentially your compliance with the GDPR is affected.
The GDPR states "Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards."
There are two major components that facilitate a paperless way of working:
- Digitising, or scanning your documents
- Managing your documents online with eView or DocuWare
Working with digital images has always made more sense than working with paper. However, now that the GDPR has come into force it makes more sense now than ever to adopt a paperless strategy.
Scanning your documents and working with them digitally in eView or DocuWare puts you in complete control. It gives you immediate and controlled access to the documents you need. Search is easy and document security becomes locked down to only those people who need relevant access. A complete audit trail comes as standard with retention periods being controlled from day one.
Fears of a data breach and GDPR penalties can become a thing of the past. Contact us today to arrange a free consultation: firstname.lastname@example.org