GDPR and paper records?
The emphasis on GPDR has so far been centred on cyber security and
IT compliance, yet the regulations are quite clear that they relate to all “personal data” regardless of the format. That inevitably leads to the need to consider information printed or written on paper. To some people this may seem anathema as we live in a digital age, so surely this is a step backward, but there are circumstances where paper is preferred. This applies to historical archives or just the fact that people still understand a piece of paper in their hand rather than digits appearing as dots on a screen. I still get a surprise when I meet with people to discuss document management and they always make their notes with a pen and note pad. Even geeks are still wedded to the ancient use of papyrus and reed pens. One of the reasons the legal fraternity has been slow to move into the digitised format is the judiciary’s insistence on the original signatured version. Even digital champions like myself have recommended the art of writing t down when working in inhospitable, dust filled factories. So, we must recognise that our papyrus loving friends will be around for a little while yet.
Procedures for paper filing.
For the purposes of GDPR, the same security concerns that affect the digital world also apply to the analogue one. Printed information can be photocopied, removed or destroyed as can a digital record. One area where paper records are still required is the HR department. CVs, signatures on employment agreements, disciplinary notes – all these will take a while to digitise. The obvious thing here is that most offices will have a filing cabinet with a lock. All that is required for GDPR compliance is for someone to be held responsible and to secure the key and one other person able to deputise in their absence. If files are taken off-site, a register is to be maintained to record the person who is taking the file and when it is due to be returned. For most cases, this set of procedures will be sufficient for GDPR.
About the Author
M Ford has worked with implementing document management systems with the Enterprise arena and now bring that experience to organisations dealing with the implications of GDPR.