GDPR and digitising paper records. Lets go back to typewriters.
It’s now an infamous apocryphal tale that when the Germans discovered the length and depth of US ability to cyber “spy” on their allies, government departments were considering reverting back to
using typewriters to keep sensitive information “off-line” from prying eyes. Even private individuals went out to second hand stores to go fully “retro” their version of this new “cold war” conspiracy. Obviously that would certainly made things a bit more difficult for the CIA’s cyber unit, but it does come with disadvantages of storing, retrieving and reporting on information. Yet there may be other ways.
Benefits of digitising paper records
For people concerned with the impact of GDPR on holding paper copies of sensitive information, now maybe is the time to digitise these versions to make them easy to store and find, whilst also making them more secure.
Many documents are now generated electronically anyway. Invoices, contracts, job offers can all be generated and stored as PDFs on emails, server or the cloud. Yet still organisations have paper files they need to be generate and correspondence that all needs to be filed away. Many documents need to be kept for regulatory reasons for 6, 7 or 10 years and under GDPR they must remain secure for all that time.
Scanning in paper records.
With all this in mind, you can run a special project to scan a backlog simply for archive purposes or include the material in a document management system. The advantage of this approach is that the documents can be linked to contacts for ease of access and generate a history that also makes it easier to respond to subject access requests under the “right to be forgotten”.
Yes a database is not necessarily the most intuitive mechanism for getting rid of data (see previous article), but it does make it possible to find everything to do with an individual person’s details in one place. That makes the request easier to deal with as any activity linked to that individual can be “hidden” rather than having to spend hours scurrying through archive boxes to make sure every shred of paper has been gathered and destroyed. Even if that approach was followed, with paper it is harder to prove that you have complied, where a database creates a timestamp and an audit trail verifying that you have responded to the request.
The task of scanning in the all the documents may seem overwhelming, but once it is done you would save so much time and see potential efficiencies simply through the ease of accessing a document virtually. If it is in a document management system, the fact that it is held within a database with its own security procedures will add to the document’s security. For those who may store documents in folders on their computers, encryption can be applied to the files to add an extra layer of security. That means that even if someone breaks into your system and downloads the file, they would not have the password key to open and read its contents. With these procedures in place, your method of storing documents should be compliant with the upcoming GDPR regulations.
See our previous articles on paper records and how GDPR deals with the issue.
About the Author:
Malcolm Ford has worked with implementing document management systems in th enterprise arena and now works with organisations in order to become GDPR compliant.