GDPR is fast approaching and unfortunately, most of the information out there focuses on digital data. This is, of course, a vitally important aspect of GDPR, however, many of us still have vast quantities of paper and physical data which will also be covered by the GDPR regulations.
How do we handle this physical paper data?
Countdown to GDPR
What data is covered by GDPR?
GDPR itself focusses on personal data held by a company regarding any individual who lives or works in the EU/EEA. It is replacing the current Data protection act of 1998 in the UK and bringing all countries in line with the new legislation as of 25th May 2018.
It is not enough to say that your company does not operate within the EU. Brexit will have no effect on the implementation of GDPR, therefore, if you operate a business in the UK or if you hold data from anyone within the EU or the UK, then you will have to be GDPR compliant.
For up to date details on the current legislation, please see: www.gov.uk/data-protection
What is personal data?
The definition of Personal data is being expanded under the scope of GDPR and it is important to note what will be covered under the new legislation:
- Name of person
- Location data
- Online identifiers – log in names, online personas
- ID numbers – eg. National Insurance number, driving license number
- Details relating to physical appearance, genetic or physiological data
- Economic status
- Cultural or social identifiers – eg. Race, religion, political group
This covers both digital and physical data.
Who could you hold data on?
Customers and clients
This could be in the form of an order, contact details, invoice and account details, quotes etc and could be held across multiple systems and within several physical locations. It is important to note that GDPR does differentiate between Joe Bloggs Ltd and Mr Jo Bloggs the man.
Obviously, it would not be good practice to allow customer data to be accessed unlawfully, whether this is an individual or company, so most companies are implementing GDPR restrictions across all areas of their business.
This becomes much more important when you are dealing with an ‘individuals’ data over that of a company though, and it should be noted on any records held if the data belongs to a company or an individual. On digital data this should not be too hard, however, on physical paper data, this becomes a much harder task. Many companies, therefore, will treat all physical data with the same level of security and disposal importance and not differentiate between individuals and companies.
Most of this data will be held within CRM systems or sites like MailChimp or Vertical response for use within digital marketing.
Any print out of data will of course still be covered and must be stored and disposed of securely.
This information will most likely be held within your HR department. It will cover all data relating to Personnel files, wages, pensions, emergency contact information, driving licenses, criminal conviction checks and training courses. This is not an exhaustive list and you may hold other information on file which will also fall under the scope of GDPR.
Most,if not all companies will fall under GDPR’s scope when it comes to staff and records kept. Even if you do not feel that your customer or supplier information is covered by GDPR, your staff’s most certainly will be. This is the area in which most companies are having to provide the most focus.
In the form of CV’s, application forms, emails relating to job information etc. It is important that this information is handled with the same level of security as that of your actual employees. If you are going to keep the applicants personal data on file, it is important to let them know this in advance and ensure that any data retention dates are kept to.
It is possible that you have less personal data on this group of people, however, it still needs to be handled in the same way as your regular employees.
This may seem like an odd one to put here as many suppliers will be companies and GDPR is very clear that company data is not covered by GDPR. Eg. Info@abcompany.com is not treated with the same importance as firstname.lastname@example.org. That does not, however, mean that a supplier is not considered to be a person. Many IT software and CRM companies have implemented the option of making a customer or supplier and ‘individual’ to ensure that their data can be flagged easily and either amended or erased in line with the new regulations.
In what format could you hold data?
Most of the digital data you, as a company, hold will be within computer software. The most common areas affected will be within order processing software, email software, marketing databases and CRM software. These programmes should have aspects within them which can help you to implement and uphold the new rules and regulations relating to GDPR.
Now, this is a whole other matter. Anyone who has tried to go through their company archiving, either to search for some information or to dispose of older data will know that this can be a rather arduous task.
Depending on the age of your company, volume of data held, accuracy and efficiency of your filing/archiving systems and the staff who maintain these systems, you may find preparing for GDPR and continual compliance to be either easy and obvious or much harder and painful.
Steps to getting your physical filing GDPR compliant
- Carry out an internal audit of your data
- Decide upon a timeframe for keeping your data
- Securely destroy any data which falls outside this time frame.
- Rearrange your filing to ensure that you can access documents when you need them
- Design and implement a plan for destroying your data once the retention period has passed
- Make sure you have a procedure in place to deal with ‘right to erasure’
Carry out an internal audit of your data
It is important to note the following:
What data do you hold on file?
How long do you hold this data?
Who can access this data?
Do you have security measures in place to protect this data?
Is there any of this data that can be deleted or redacted earlier than the retention date? Eg. You may need to keep a contacts signature as proof of delivery, but do you need to keep their phone number on file?
What processes can you put in place to ensure that retention end dates are kept to?
How can you ensure that your physical data is deleted or disposed of in a safe and secure manner?
Decide upon a timeframe for keeping your data
Do you need to keep prospective CV’s on file for longer than the employment process takes?
How long do you keep staff data once they have left the company? Perhaps, instead of keeping all Personnel Files for all staff, it would be better to keep a selection of data in a secure format. Eg. Staff name, start date, end date, and any information you think relevant to keep in case of a reference request in the future.
Securely destroy/dispose of any data which falls outside of this time frame
We can deliver one or more of our secure shredding bins/confidential waste bins to your office, your archive storage centre or any other location of your choice. You can then fill these with all of the confidential data that falls outside your retention date range. We will take these bins away and shred your confidential data in one of our secure locations. A certificate of destruction will then be supplied to you.
Our service can be one-off, or we can work to a schedule that suits you to provide a more regular purge of data which has passed its retention date.
For ongoing conformance you may wish to keep one or more of these bins in your office, we can then arrange to collect this on a monthly basis (or more frequently if required) and replace it with an empty one.
Rearrange your filing so that you have access to all the documents when you need them
A well-organised filing or archiving system will help you to keep track of data and will prevent hours of wasted time searching through endless boxes and filing cabinets.
[perhaps a link to the L6C filing crate here, or one to L2C/L3C for long-term storage, perhaps we need a page for long-term storage and use of crates, this could then be linked to a particular price grid on our system to provide long-term hire, alternatively, a link to Advanced crates for buying these crates, perhaps both]
Design and implement a plan for destroying your data once the retention period has passed
Keep one of them in your office for the disposal of all confidential data on an ongoing basis. Why keep a whole filing cabinet of paperwork you want to destroy when you can simply pop it in one of our bins and have it collected monthly. (or more frequently if required).
All too often it is the case that personal details are left lying around the office, perhaps you have written down a customer order on a post-it note along with their name address and phone number. How do you dispose of this securely? It is unlikely that you will keep a box or a filing cabinet for items such as these, so why not put them straight into a secure shredding bin. Problem solved.
Why wait to clear out that drawer until you know the yearly retention date is within sight? With our secure shredding bin solution, you can have one of these bins sitting in your office ready for you to dispose of data as and when you require.
Make sure you have a procedure in place to deal with ‘right to erasure’
Having one of our secure shredding bins/confidential waste bins on site can aid you in this. You will be able to dispose of any such data included in their request by simply popping it into one of our bins. Due to the regular nature of the collections (once a month minimum), this data will be destroyed securely within one month.
Data protection by design
Having a secure shredding bin/confidential waste bin, in your office which is collected regularly will certainly go a long way to proving that your physical data is disposed of in a safe and secure manner. In the same way that investing in some lockable filing cabinets, will help to show that you are storing your physical data securely.