At the end of last year, the European Parliament and Council reached agreement on the General Data Protection Regulation (GDPR) proposed by the European Commission. The new rules, which look like coming into force in early 2018, will affect any organisation that handles data of European origin.
According to the information management and storage company Iron Mountain these reforms, which aim to reflect the digital economy and champion the data privacy rights, could prove difficult to apply to paper-based information. The firm has prepared these guidance on some of the key components of the GDPR:
1. Make sure you can find the information you need. Before you can de-identify or delete information you need to be able to find it. The reforms will enshrine the consumer’s ‘right to be forgotten’ in European law and businesses will need to respond to requests to delete personal information. Unfortunately, while it may be easy to remove digital data from a record or database, hard copies are far more difficult to amend. Iron Mountain research shows that close to a quarter (22 per cent) of companies have no policy regarding paper filing and allow employees to decide what to do for themselves. As a result, in many organisations, no single person or defined team has complete oversight of what information is stored where. Even when the information can be located, there are the practical challenges of having to partially edit documents, often by hand.
Iron Mountain advises organisations to identify the departments and functional areas most likely to create and store records containing personally identifiable information (PII) and to prioritise scanning and secure offsite storage for those records. Organisations should also implement and enforce a clear filing and identification system for all paper records, with tags and metadata marked on box files and cartons, with clearly defined access rights and accountabilities.
2. Be aware that paper often leads a double or triple life. Clearly defined processes for managing information from creation to secure destruction may not be enough on their own. Paper can slip through the cracks of the strictest information classification and storage policies, simply by being copied or printed and left lying around, carelessly disposed of, or even removed from a secure building. The 2015 Privacy and Security Enforcement tracker report from PwC reveals that many European data security incidents that result in a penalty stem from human error in the handling of paper documents. Consequently, despite the best intentions of an organisation to comply with a data deletion request, employees may be keeping the data alive in a desk drawer or home office environment.
Iron Mountain advises companies to complement their information management policies and processes with regular employee training and communication that show staff how to manage information securely and support a business-wide culture of information responsibility. Every employee should understand what constitutes private or confidential data and how to handle it.
3. Build privacy into your processes. The GDPR want privacy to be a forethought in how information is produced, managed and disposed of. For paper this will all be about information handling processes. Iron Mountain advises that organisations should make it difficult, if not impossible, for unauthorised people to access or make copies of documents that carry personally identifiable information. Information storage, retention and destruction processes should all be reviewed with privacy requirements in mind – and adapted where necessary.
4. Accept that some rules simply won’t apply. Elements of the GDPR, such as data portability will be difficult to apply to information stored only on paper. In some cases this lack of applicability is an advantage. For example, demands for robust cyber-security measures do not apply to paper, because it can’t be hacked.
Gavin Siggers, Director of Professional Services from Iron Mountain, says: “There is a wealth of business advice available on how to prepare for the new legislation, but it’s almost all focused on electronic data and IT security – ignore paper at your peril. Organisations continue to create and process paper documents carrying personal information. Many have accumulated vast paper archives, stretching back decades. This legacy will present problems for any organisations no longer sure what information they hold in the archive. It is now more important than ever to know what you have, know where it is and know how to get to it when you need it. ”
