GDPR and Document Storage

GDPR applies to all personal data regardless of how it is stored. This means that businesses which store personal data on paper records still need to make sure that they are GDPR-compliant.

With this in mind, there are a number of things that your businesses should understand in relation to their paper documents, to ensure your business is compliant.

Blog Contents:

What is GDPR?

GDPR stands for General Data Protection Regulation and is a comprehensive data protection law that was implemented in the European Union (EU) on May 25, 2018.

GDPR aims to provide individuals with better control over their personal data, protecting their rights across the EU. The GDPR applies to any business that uses personal data of people within the EU, no matter where the business is located.

Sensitive data should only be stored for as long as it is needed

A lot of the practicalities of GDPR stem from this simple principle. For example, to follow this rule, you need to know what data you have and why you have it. You also need to know where it is stored. In other words, you need to practice robust document-management.

GDPR does not specify any time limits on how long data may be stored. It is, however, important to recognise that the onus is on the data controller to show that the data is needed. They also need to be aware that this need could potentially be challenged at any time.

Different parts of the UK may have different statute periods

One of the interesting features of law in the UK is that different parts of the UK may have different statutes of limitation. What’s more, these statutes are subject to change, albeit usually with a decent notice period. Depending on the nature of your business, this could have implications for your data-retention process.

Post Brexit, UK companies may need to use Standard Contractual Clauses (SCCs) to continue to receive personal data from the EU/EEA. This is, however, still subject to negotiation.

Which data can you keep?

As was previously the case, keeping all of your documents just in case you may need it at some point in the future is no longer something that businesses can do. You should now be aware of what data you have within your possession, using the new regulations to decide upon which data to keep and how to categorise it.

The first thing to consider is whether or not you are aware of the different documents and information that are within your possession. If you are, then you will be able to sort the documents and comply with the new rules that are set to come into place. However, if you aren’t aware of everything that is in your possession, then how will you be able to comply with a set of rules that apply to the specific documents that you are unable to locate?

Although both paper and electronic documents are included within the new rules, electronic documents are typically more organised and easier to find than paper documents. Because of this, you should consider conducting an audit of the information you have, locating each document and ticking it off as and when you know you have it. As part of this, you should find out how many copies of each document you have and collect them all into one place.

Data needs to be stored safely

Safe-storage for documents is rather different from safe-storage for electronic data. The main difference is that electronic data can be easily encrypted. Theoretically, data on paper can also be encrypted but this isn’t very practical in the real world!

When it comes to paper, “safe storage” effectively means protecting the data against both environmental threats and security threats. Environmental threats will vary by location but fire and water damage should generally be considered wherever you are.

Security threats are managed by robust access controls. This means more than just keeping the documents under lock and key. It means establishing a secure chain of custody. Any time a document is accessed for any reason, the fact should be recorded, even if the document is not changed.

How private is your document storage?

Data breaches, including documents and other data getting into the wrong hands, are a big focus of the GDPR. Privacy of data has become a very current issue, and so the way in which paper documents in particular are stored and transported is a big part of the GDPR, and one that should not go unnoticed.

Think about the practicalities of shredding documents

Shredding documents effectively (and legally) can be a lot more complicated in practice than it sounds like it should be. Firstly, documents need to be cross-cut to an appropriately small size. Secondly, a lot of standard documents will have some form of binding, such as staples, paperclips or spiral rings.

Buying a shredder which can deal with these is expensive. What’s more, any shredder powerful enough to cope with this kind of work is likely to be both very large and very noisy. If you’ve ever walked past a mobile shredding truck in operation, you’ll have had a chance to appreciate just how noisy they can be.

This is often reason enough just to use a third-party shredding service. The bonus of doing so is that you get written proof of the fact that you have disposed of the documents in a GDPR-compliant manner. This can come in very useful if you are ever audited.

Destruction of unwanted and un-needed documents

Something you might want to consider is how you want to destroy any unwanted and unneeded documents, and the best way to do this is to take advantage of the services offered by companies that specialise in the shredding of documents, as this will help you to destroy of the documents in the best way possible.

Ensure your employees are trained

Employees help to ensure that business runs smoothly, but they can also sometimes be a reason for issues to arise, and this is never good for any business owner or members of management teams. To ensure that your business doesn’t create any issues, full training and support sessions should be considered for employees throughout the business so that your employees are well educated around GDPR and document storage.

Is your business GDPR compliant?

Whether you’re a Charity, Salon or Bank, if you feel you could benefit from help and advice from an off-site storage facility, we can help! Get your documents in order with our range of document storage and document management services.

Feel free to get in touch with our team. We can explain in more details the service and benefits you would receive as well as the different types of documents you can store in our security facility.

Looking for something else? We can also provide other document management services including, document scanning and document shredding.