General Data Protection Regulation, better known as GDPR, has brought many new data protection rules. The rules, which are considered the most significant data protection changes in 20 years, mean that data must be processed fairly and lawfully, kept secure, accurate, and up-to-date.
The emphasis on GDPR has so far been centered on cybersecurity and IT compliance. Yet, the regulations apply to all personal data regardless of the format. That inevitably leads to the need to consider information printed or written on paper.
Why is GDPR necessary?
The General Data Protection Regulation is a legal framework in the EU and the UK created to assist businesses and public entities in protecting personal information and citizens’ privacy.
The GDPR strengthens individuals’ rights to access and manage personal data they own, such as their biometric data or IP address. More importantly, individuals reserve the right to withdraw the use of their data from a business or public entity at any time.
Because of this, businesses with over 250 employees must have a Data Protection Officer, who will make sure that the company collects, uses, and disposes of sensitive data responsibly.
What type of data is protected by GDPR?
By definition, personal data is any information relating to an identified or identifiable natural person (i.e., the data subject).
Personal data can include location data, a name, medical information, or social or economic information, which can help identify said natural person. Put simply; personal data is information that relates to an individual.
The GDPR covers the processing of this data in several ways, including wholly or partly automated processing or personal information being processed in a wholly non-automated manner, such as in the case of a paper recording being used as part of a filing system.
What to do with the paper records you still need?
For GDPR, the same security concerns that affect the digital world also apply to the analog one. Printed information can be photocopied, removed, or destroyed, as can a digital record. One area where paper records are still required is the HR department. CVs, signatures on employment agreements, disciplinary notes – all these will take a while to digitize.
The obvious thing here is that most offices will have a filing cabinet with a lock. All required for GDPR compliance is for someone to be held responsible and secure the key, and deputize one other person in their absence.
If files are taken off-site, a register must be maintained to record the person taking the file and when it is due to be returned. For most cases, this set of procedures will be sufficient for GDPR.
Why should you shred?
Shredding your paperwork is the single most secure way to dispose of it. Not only that, but it helps your business meet its GDPR requirements for data security by providing a practical and safe way of disposing of data, preventing access by third parties.
If you don’t have processes to protect the data you hold in hard copy, you are leaving yourself open to severe security risk and potential fines. This is because under GDPR you are liable if a data breach leads to an individual’s personal information being stolen.
One of the critical components of data security is proper disposal of data – in any format. Anyone can read unshredded documents, so simply putting them in a bin or recycling bin isn’t going to be enough.
By shredding your documents once they have fulfilled their purpose, you are effectively destroying the information and preventing it from being read by third parties – fulfilling your obligations in one simple action.
Why your office shredder might not be good enough
Even if you feed all the outdated paper documents to the office shredder, that might not be enough to secure their destruction.
This is mainly because most office shredders are ‘strip cut,’ which still poses a risk of a breach through reconstruction. That is why it might be worth investing in a professional service with industrial-sized equipment that will handle the documents and shred them following standard rules and best practices.
This is a far preferable method than to waste your own employees’ time feeding individual records into a typical office paper shredder.
The GDPR covers far more than the deletion of digital documentation. Its rules apply to the storage of any kind of personal data. However, physical documents are often overlooked when attempting to achieve GDPR compliance. That is why you must take the time to understand the processes that your business uses and to update them accordingly.
Just because the world is moving into digital processing doesn’t mean that paper-based risk has gone away completely. Thinking so would be a costly mistake to make.