The GDPR deadline was the focus of 2018, but has it now gone away? The answer is not really. The ICO has issued nearly 200 fines and enforcement actions since the GDPR came in to force in May. We can’t let up on how we manage records.
Much of the hype and focus of GDPR, probably quite rightly, focused on digital records and the transfer of data electronically. We all worked away through much of spring 2018 to make sure that businesses were secure from data breaches in the cyber world.
However, the GDPR isn’t limited to electronic records. If you hold paper documents, such as HR records, client files and data, medical information or personal files, you also need to be GDPR compliant.
How to manage paper documents in light of GDPR
By now all businesses should have a good grasp of the fact that the GDPR has a huge impact on the way they manage, use and store data. There are no excuses now – get it wrong, and you stand to get a hefty fine.
GDPR was largely born out of the way technology had changed. Therefore, we understandably focused on our electronic data. However, paper documents are as much, and sometimes more, at risk. They too must comply with the GDPR.
These steps will make sure you’re handling paper documentation appropriately:
- Know where it is and how to find it
Scattered paperwork on desks should be a relic of old-school sitcoms. Under the GDPR, individuals have the right to erasure. They can (and are) asking for their data to be completely destroyed.
This means that if a data subject makes such a request of your business, you need to be sure that every last piece of data on every last piece of paper is destroyed. That’s going to be impossible if you can’t guarantee that you know where it all is.
Organisations should make sure that they know how paper-based data is handled and stored in every function of the business. Being able to see a clear record of where data is held will be a first step. Documents should also be stored securely, and not simply ‘somewhere’ but in a defined and clear location.
Documents containing personally identifiable information should also be labelled and covered with non-sensitive identifying information, so that the most sensitive data within is protected.
It is imperative that your paper-document storing policy is clearly communicated to everyone within the organisation and that employees are held accountable to this.
- Make copies with care, and take note
Copies of documents containing personally identifiable information shouldn’t simply be copied without good reason. Every time a copy is made, the process is opened up to human error and the risk of exposure.
Therefore, always keep track of which documents have been copied and keep a note of where they have gone.
Particular care should be taken to ensure that copied documents don’t fall into the wrong hands. Risk factors for this are items left on photocopiers and printers, items left lying around on desks and drawers, and documents simply thrown in the bin.
Instead, documents should be appropriately filed and secured. Furthermore, workplaces should make sure to use lockable disposal cabinets, prior to having documents shredded, rather than throwing documents in with regular waste.
- Take real care with paperwork leaving the office
As with employees adding an extra layer of risk when they access work remotely via laptop or smart device, taking paper documents out of the office is also a potential risk. Documents left, by mistake, on trains, for example, are open to falling into the wrong hands.
In fact, transporting data in paper form can, in many ways, carry more inherent risk than electronic data which can be encrypted, or even deleted from a distance.
For this reason it should be made very difficult for unauthorised people to remove any paper documents from the workplace. There should also be a policy in place which governs how to handle work documents offsite appropriately.
- How to store paper documents
Storage of paper documents can pose a real headache for businesses. Under the GDPR, you shouldn’t be holding on to personal data any longer than necessary. This means that you need to store it in such a way that your systems can locate it at the point it should be deleted, and indeed that such a process happens regularly and routinely.
This is another reason why it is important that offices have planned systems for the disposal and destruction of paper documents containing personal data. By using On Time Shred lockable storage bins, you can ensure that you are storing paper documents ready for disposal in a GDPR compliant way.
Many clients find that a higher level of security can be achieved by scanning no longer needed paper documents into electronic form, then encrypting and storing these electronically until they should be disposed of. In the meantime, you destroy the original document through shredding.
- Shredding services
Finally, we need to consider how you dispose of obsolete paper documents – either because it has been requested of you, or it has served its purpose and time. Under GDPR, you have a responsibility to destroy documents containing personal data in a secure and appropriate way.
Professional shredding services are the answer. By choosing On Time Shred, for either onsite or offsite shredding services, you can be sure that your paper document disposal is completely in line with GDPR.
Get On Time Shred on board
Choose On Time Shred and you can be sure that your paper document disposal is secure and compliant. Call today on 0330 333 1234.