GDPR and your paper documents
From 25th May 2018, European Union (EU) rules on data protection will change. That’s the day the General Data Protection Regulation (GDPR) comes into force and now’s the time to start preparing.
GDPR affects all businesses and even though data protection may make us think of digital data security, it’s far more than that. It’s important to carefully assess the protection, storage and disposal of confidential documents in paper too. We’ve pulled together some information to help you identify and tackle possible problems.
A GDPR Summary – what’s new?
EU data protection law has always required businesses to protect personal data against unauthorised or unlawful processing, and accidental loss, destruction or damage. This includes data stored on paper. However, the GDPR adds a few extra demands.
• New rights for individuals on how their personal information is held and used
• New data security levels
• New demands to report GDPR breaches to the regulator
• New requirements on demonstrating compliance to the regulator
Considerations for paper and data security
When it comes to applying and adopting GDPR, sensitive or confidential paper documents and files pose a specific set of challenges to businesses. As with any personal information held, businesses need to look at how the information is stored and consider:
1. Whether we still need it
2. Whether we need to use it in the way we do
3. Whether everyone accessing it really needs access to it
Here are a few special considerations when it comes to paper:
Simply printing a document and forgetting you’ve done so can create a security risk. Ask yourself: Who might accidentally pick up that document?
Each time you send a document to print through a wireless printer, you run the risk of security breaches via the Internet. Try restricting print permissions and tracking print jobs using specialist software to help prevent this.
Scanning turns printed documents into digitalised versions of themselves, which can be opened and read by anyone. Add password protected privacy filters to your scanning system to help counter potential threats.
Documents which you still need to hold must be stored in a way that allows them to be easily traced and located if required. Sensitive documents need to be stored in locked cabinets and access restricted to a certain number of people within the business. Hard copy records don’t have to be intimidating. Create and maintain an efficient records management system with these practical tips.
Secure paper disposal should be a priority, particularly now the EU has upped its data protection demands. Paper documents that aren’t needed anymore need to be disposed of in a compliant manner. Investing in a cross cut shredder as an invaluable tool helps you with your GDPR compliance.
Breaching the GDPR could cost €millions
It’s never been more important to take care of the data businesses hold, including paper documents. Leaving sensitive paper files on public transport, keeping data longer than we need to, or disposing of it incorrectly are all easy mistakes to make - but they can also be very expensive ones. Breaking the new rules could cost up to 4% of your global annual turnover, or a staggering €20 million (whichever is higher).
Did you know?
Under the GDPR, everyone whose personal data is held by an organisation will have new legal rights. These are the Right to be Forgotten, the Right To Data Portability and the Right To Object.
• Get to know your new responsibilities when it comes to hard copy data.
• Read up on the new rights people have under GDPR.
• Double check how hard copy personal data is processed and stored by your business.
• Revisit your data destruction policy.
• Do you need to implement security shredding?
• Identify weaknesses in your paper management system, as well as in the systems of businesses and services you share information with.
• Train your team members so they’re up to date on the new regulations and understand the importance of secure document disposal.
Did you know?
80% of European companies experienced at least one cybersecurity incident in 2016). (Source: http://europa.eu/rapid/press-release_IP-17-3193_en.htm)