Despite the fact that the GDPR laws were made public in 2016, and businesses had years to prepare for their arrival, May 2018 saw a deluge of corporations scrambling to ensure they were compliant with the new regulations before the deadline finally rolled around. Consumers reported masses of emails regarding their online data protection rights, with many companies amending their data acquisition platforms to ensure clarity as dictated by GDPR guidelines.
However, as businesses — both great and small — took to shoring up their online data storage, many have failed to address a vulnerability in their business: the physical documentation they keep.
The problem with storing physical data
GDPR covers both digital data and data recorded on paper. This includes information printed or recorded on physical documents. While the modern business doesn’t tend to store as much information on paper as they used to, physical copies are often required for elements of business.
This is data that is afforded all the same protection under the new laws as online data. Data that, if discovered to be in breach of the regulations, will find your business in just as much trouble as if your computer systems were to be compromised through careless management.
So, ownership of physical data is putting your business at risk of non-compliance with GDPR rules. But where exactly are those risks coming from?
Online data access is very clear. It is held within systems that require passwords and under new GDPR rules, businesses likely set up a hierarchy of access to ensure only those who should be able to access digital documents can. Physical documentation is different. Anyone can pick up and read a document, which means defining access presents a challenge. Locking down unique files in a digital format is much easier than doing so in the physical world.
Digital documents take up little space, unlike their physical counterparts. As a result, while you might tighten up digital security, high-protection storage of massive amounts of documents is going to be difficult and expensive, which may mean it doesn’t meet appropriate standards.
GDPR changed the way companies looked at data, however, physical records were not given as much attention. Paper documents have also been around far longer and have often been held to much less stringent standards. Compliance, such as taking documents off-site or leaving a crucial piece of data unsecured on a desk while going out for lunch, is a potential risk that will unlikely to be even thought twice about.
If you have a physical file in your hand, can you confidently say it is the only one that exists? Even if this copy is secured, what about others? Printed documents may have copies you aren't aware of. They could have been printed twice, they may be stored on an unmonitored and unprotected USB, or the file might still be saved onto the settings of the printer that was used.
As part of GDPR, businesses can only store accurate data. This means as information becomes outdated over time, you don’t have a right to access it anymore. On computers, files are updated. With physical documentation, you need new copies. This isn’t a problem in itself, but with so much data to store, it becomes easy to forget about old copies of data, keeping them logged and violating GDPR law.
When data your business owns is no longer GDPR compliant, it must be destroyed. For physical copies, this means the bin. Simply chucking away customer data, however, presents a chance it could be discovered by somebody. If the data is discovered and accessed by someone who isn’t meant to have it, that counts as a data breach and will need to be reported.
5 steps to protect your physical data from GDPR backlash
The contrast between digital data and physical data security is night and day. The way you protect your computer documentation is fundamentally different. So what steps can you take to ensure compliance when it comes to paper documentation?
Step #1: Find All Your Physical Data
Securing your business against breaches first requires that you know exactly where all documents pertaining to personal information are. Even a single piece of paper hidden in a draw that is unsecured could lead to a violation of the rules imposed by the EU.
You must identify all physical documentation your business has ownership of that contains data protected under GDPR, this includes files your staff may have taken home or information shared with third-parties and partners.
Step #2: Destroy Unnecessary Data
Every piece of sensitive information presents the potential for non-compliance if mishandled. Reducing risks is made easier by reducing chances of incidents occurring. How do you do that? You remove from your possession any data that is unnecessary or that you do not have the correct permission to own.
Destruction of physical data needs to be in such a way that ensures it cannot be used or viewed by anyone else. Shredding is common practice, other options are to destroy with chemicals or fire, although these are less environmentally-friendly options.
Step #3: Educate Your Staff Roster
Your work with digital GDPR compliance will have likely focused on ensuring staff are aware of how they should view and consume personal data. Your work for physical data should be the same. You need to build an awareness of what people can and can’t do with paper documents. It must be clear who has access to what and how the information in them is used.
Just as you will have done for computer systems, define the rights of your workers to certain information. Clarity is essential. Now is also a good time to identify which departments are using the most physical data and ensuring that their compliance is without weakness.
Step #4: Transfer Documents to Digital Format
Some paper documentation must be kept — much of it, in fact. However, given the risks of physical security, digital records tend to offer a safer option.
Businesses should consider moving physical files to digital versions before destroying paper copies. It might be a drawn-out process, but if you are aware that your digital security and GDPR standards are more robust, it increases your levels of compliance considerably.
Step #5: Secure Physical Documentation
You can’t destroy all your physical documentation, nor can you just upload every piece to your computer systems. Sometimes, you need to retain the actual paper copy. Be it a legal document, contracts, or something else entirely, even in the digital age businesses will always have need of paper files. But, under GDPR, these paper files do need to be secured.
Just as digital data is locked behind passwords and encryption, so to should physical data be locked away. Companies need to invest in secure methods of paper storage, including commercial safes, locked filing cabinets and secured desk draws. This type of security ensures your business is taking appropriate measures to protect data, and that only those with appropriate access are capable of viewing personal information.