The latest enterprise risk management news from around the world

Paper records represent a significant General Data Protection Regulation compliance risk

Businesses face significant challenges in applying the new EU Data Protection Regulation to paper records; Iron Mountain offers some advice.

At the end of last year, the European Parliament and Council reached agreement on the General Data Protection Regulation (GDPR) proposed by the European Commission. The new rules, which will come into force in early 2018, represent the greatest change to data protection legislation since the dawn of the Internet. They will affect any organization across the world that handles data of European origin.

According to information management and storage company Iron Mountain, the reforms, which aim to reflect the changing needs of the digital economy and champion the data privacy rights of the individual, could prove difficult to apply to paper-based information. To help companies ensure their paper records don’t fall foul of the regulations, Iron Mountain has prepared the following guidance on some of the key components of the GDPR: 

1. Make sure you can find the information you need.
Before you can de-identify or delete information you need to be able to find it.  The reforms will enshrine the consumer’s ‘right to be forgotten’ in European law and businesses will need to respond to requests to delete personal information. Unfortunately, while it may be easy to remove digital data from a record or database, hard copies are far more difficult to amend.  Iron Mountain research shows that close to a quarter (22 percent) of companies have no policy regarding paper filing and allow employees to decide what to do for themselves. As a result, in many organizations, no single person or defined team has complete oversight of what information is stored where. Even when the information can be located, there are the practical challenges of having to partially edit documents, often by hand.  

Iron Mountain advises organizations to identify the departments and functional areas most likely to create and store records containing personally identifiable information (PII) and to prioritise scanning and secure offsite storage for those records. Organizations should also implement and enforce a clear filing and identification system for all paper records, with tags and metadata marked on box files and cartons, with clearly defined access rights and accountabilities.

2. Be aware that paper often leads a double or triple life.
Clearly defined processes for managing information from creation to secure destruction may not be enough on their own. Paper can slip through the cracks of the strictest information classification and storage policies, simply by being copied or printed and left lying around, carelessly disposed of, or even removed from a secure building. The 2015 Privacy and Security Enforcement tracker report from PwC reveals that many European data security incidents that result in a penalty stem from human error in the handling of paper documents. Consequently, despite the best intentions of an organization to comply with a data deletion request, employees may be keeping the data alive in a desk drawer or home office environment. 

Iron Mountain advises companies to complement their information management policies and processes with regular employee training and communication that show staff how to manage information securely and support a business-wide culture of information responsibility. Every employee should understand what constitutes private or confidential data and how to handle it.

3. Build privacy into your processes.
The GDPR want privacy to be a forethought in how information is produced, managed and disposed of.  For paper this will all be about information handling processes. Iron Mountain advises that organizations should make it difficult, if not impossible, for unauthorised people to access or make copies of documents that carry personally identifiable information. Information storage, retention and destruction processes should all be reviewed with privacy requirements in mind – and adapted where necessary. 

4. Accept that some rules simply won’t apply.
Elements of the GDPR, such as data portability will be difficult to apply to information stored only on paper. In some cases this lack of applicability is an advantage.  For example, demands for robust cyber-security measures do not apply to paper, because it can’t be hacked.

“There is a wealth of business advice available on how to prepare for the new legislation, but it’s almost all focused on electronic data and IT security - ignore paper at your peril,” advises Gavin Siggers, director of Professional Services at Iron Mountain. ”Organizations continue to create and process paper documents carrying personal information. Many have accumulated vast paper archives, stretching back decades. This legacy will present problems for any organizations no longer sure what information they hold in the archive.  It is now more important than ever to know what you have, know where it is and know how to get to it when you need it.”

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.


A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.