GDPR applies to all personal data regardless of how it is stored. This means that businesses which store personal data on paper records still need to make sure that they are GDPR-compliant. Here is a quick guide to what you need to know.
Sensitive data should only be stored for as long as it is needed
A lot of the practicalities of GDPR stem from this simple principle. For example, to follow this rule, you need to know what data you have and why you have it. You also need to know where it is stored. In other words, you need to practice robust document-management.
GDPR does not specify any time limits on how long data may be stored. It is, however, important to recognise that the onus is on the data controller to show that the data is needed. They also need to be aware that this need could potentially be challenged at any time.
Different parts of the UK may have different statute periods
One of the interesting features of law in the UK is that different parts of the UK may have different statutes of limitation. What’s more, these statutes are subject to change, albeit usually with a decent notice period. Depending on the nature of your business, this could have implications for your data-retention process.
Post Brexit, UK companies may need to use Standard Contractual Clauses (SCCs) to continue to receive personal data from the EU/EEA. This is, however, still subject to negotiation.
Data needs to be stored safely
Safe-storage for documents is rather different from safe-storage for electronic data. The main difference is that electronic data can be easily encrypted. Theoretically, data on paper can also be encrypted but this isn’t very practical in the real world!
When it comes to paper, “safe storage” effectively means protecting the data against both environmental threats and security threats. Environmental threats will vary by location but fire and water damage should generally be considered wherever you are.
Security threats are managed by robust access controls. This means more than just keeping the documents under lock and key. It means establishing a secure chain of custody. Any time a document is accessed for any reason, the fact should be recorded, even if the document is not changed.
Think about the practicalities of shredding documents
Shredding documents effectively (and legally) can be a lot more complicated in practice than it sounds like it should be. Firstly, documents need to be cross-cut to an appropriately small size. Secondly, a lot of standard documents will have some form of binding, such as staples, paperclips or spiral rings.
Buying a shredder which can deal with these is expensive. What’s more, any shredder powerful enough to cope with this kind of work is likely to be both very large and very noisy. If you’ve ever walked past a mobile shredding truck in operation, you’ll have had a chance to appreciate just how noisy they can be.
This is often reason enough just to use a third-party shredding service. The bonus of doing so is that you get written proof of the fact that you have disposed of the documents in a GDPR-compliant manner. This can come in very useful if you are ever audited.
Is your business GDPR compliant?
Whether you’re a Charity, Salon or Bank, if you feel you could benefit from help and advice from an off-site storage facility, we can help! Get your documents in order with our range of document storage and document management services.
Feel free to get in touch with our team. We can explain in more details the service and benefits you would receive as well as the different types of documents you can store in our security facility.