Does GDPR Apply to Paper Records? What You Need to Know

Staying Compliant with Paper Records

GDPR is most often discussed in relation to digital records, but the legislation applies to paper files too. There are many reasons why businesses should be transitioning to paperless offices, with compliance a key factor. But are paper records subject to GDPR? Read on to find out everything you need to know about GDPR for paper records, including how to remain compliant.

What is GDPR?

GDPR (the General Data Protection Regulation) came into effect on 25th May 2018, and sets out how businesses in the UK and the EU need to store and secure the data they hold on file about their customers, employees, suppliers, and any other parties they deal with. In the UK, the legislation is part of the Data Protection Act 2018.

Under GDPR, individuals have the right to request access to any personal information that a company holds on them. This could relate to their employment with an organisation, personal data they’ve input during a transaction, or even their communication preferences.

Organisations must make it clear to individuals how long their data is being held for and how it will be used, or they risk breaching the legislation. Businesses must also respond to data access requests within a defined timeframe, or risk a fine.

Fines for failure to comply with GDPR for paper records or for digital documents can be as high as €20 million (£17 million) or up to 4% of company turnover, depending on which sum is highest./spacer

Does GDPR apply to paper records?

Yes, GDPR does apply to paper records as well as digital documents. In fact, it can be much harder to manage GDPR compliance for paper records, as paper files can be stored across multiple locations, may be easily copied, and can be difficult to retrieve quickly.

How to keep your paper records GDPR-compliant

To improve compliance with GDPR, paper records should be transferred to a digital format, with the original paper copies securely destroyed. There are so many reasons why going paperless makes it easier to remain compliant with GDPR, including:

  • Digital documents are more secure
  • Files can be password-protected
  • Different levels of user access control can be granted, as required
  • Files can be encrypted
  • Digital documents aren’t physically accessible

3 reasons why you shouldn’t ignore GDPR for paper records

In order to stay compliant with GDPR, paper records should be digitised. But just how important is this? From risk of theft to flood or fire damage, here are three key risks you’ll avoid by digitising your documents.

1. Unauthorised data replication

Sensitive data detailed on paper files can easily be photocopied or photographed, leaving your company in a mere matter of seconds, with no one aware this breach has happened. GDPR breaches aren’t always due to the physical removal of documents.

Digitising sensitive documents is the first step to locking down your organisation’s sensitive paperwork. However, simply scanning documents isn’t enough to remove the threat of them being copied without your knowledge. Ultimately, the only way to fully protect your documents is with a secure document management system.

2. Risk of paper documents being stolen

Confidential paper documents can easily be left on a train, or even stolen directly, breaching sensitive data and potentially causing all kinds of legal trouble. In 2017, counter terrorism police officer Marcus Beale was fined[1]  after he left secret documents in his car, which were subsequently stolen. This was a high-profile case, but the damage can be equally as bad for businesses of all sizes.

If the documents only exist in digital format, this risk is removed completely, potentially saving your business thousands of pounds and costly reputational damage.

3. Risk of document damage or destruction

Although a total loss of files and the data they contain as a result of a fire or flood isn’t a data breach in itself, it would be a serious headache, and could mean your organisation has failed to comply with GDPR rules. If documents have been destroyed, you wouldn’t be able to fulfil a right to access request, putting you in breach of the legislation and risking a hefty fine.

Stay GDPR-compliant with Restore Digital

The best option for remaining compliant with GDPR for paper records is to transition to a paperless office environment, and to lock down documents in a secure document management system, such as EDMonline or DocuWare.

As the digital documents are held in a secure database, they can only be accessed through the system and not via network drives. Individual users can be set up with specific access rights, with all movement and amendment of documents fully logged. This means there’s a complete audit trail of all access activity, and document retention periods are controlled from day one.

Our document management solutions give you immediate and controlled access to your files to support your organisation’s GDPR compliance

If you have more questions about managing GDPR for paper records, please don’t hesitate to contact us.

Get in Touch

GDPR and paper records FAQs

With GDPR, the ‘right to erasure’ (also known as the ‘right to be forgotten’) allows individuals to request deletion or removal of personal data you hold about them, if there’s no longer a compelling reason for a business to retain it. But do you know where and how to find all the data for every individual who may request access to their data? Searching for specific paper documents can be incredibly time-consuming and costly, and you’ll never be 100% sure you’ve found everything you need to delete, meaning you could be risking a GDPR breach.

Using an electronic document management system (EDMS) removes this risk, as your digital files can be clearly catalogued and indexed, making them easy to find at the touch of a button. Consider the most logical way to index your digital files too – our digitisation solutions include a cataloguing service that can help with easy retrieval in the future.

There are often double or even triple copies of the same paper documents in an office, but this isn’t necessary. In the digital age, even one copy can be too much, especially if you’re trying to get a handle on GDPR for paper records stored in your office. Your organisation’s risk of GDPR breaches increases when duplicate documents are left in the photocopier or printer, when paper files are thrown away without being shredded, or when they are taken out of the office.

But when your paper documents are digitised and stored in an EDMS, there’ll only be one single digital copy of each file. This removes the need to make copies, and stops documents from being accessed out of the office. An EDMS can also be set to ‘read-only’ access, which prevents staff from downloading, printing or making any copies of documents.

The GDPR legislation states: “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.”

Document retention periods can be difficult to manage, as they differ for various types of files. For example, if pension or legal documents are kept in an employee’s HR file and that person leaves the company, their generic personnel information and any pension/legal documents may have different prescribed retention periods.

Paul Moonan, Managing Director at Restore, says: “If you can’t be sure that all retention periods are being correctly controlled and complied with, this could easily lead to a GDPR breach.”

With an EDMS, you can easily manage multiple retention periods, as the system can be configured to apply different retention periods by document type. Data controllers simply assign the correct retention periods for each document, folder or file, and the system automatically does the rest.

As part of your efforts to manage GDPR for paper records at your organisation, you may choose to securely store paper records off-site, while having digital access to documents on-site. In future, you may use our archive records scanning service to digitise these too, but in the meantime, you can be sure they’re kept safely, securely and in a GDPR-compliant manner.

Store important documents with Restore Records Management. We’ll ensure your data is correctly identified, barcoded, and registered onto a database to ensure complete traceability.

“Creating an accurate list of the content of your archive boxes so you can identify where personal data is stored is the first step to GDPR,” explains Martin Fiddler, Information Security & Compliance Manager at Restore.

Restore will catalogue your files and provide you with an accurate end-to-end information audit. Then, you can decide whether each document should be securely destroyed, archived, or digitised.

0333 043 5498