Does the General Data Protection Regulation apply to paper data?

Do you know the General Data Protection Regulation (GDPR)? Well, you should!

In short, the GPDR (EU 2016/679) is a regulation by which the European Commission, the European Parliament and the European Council aim to strengthen and unify data protection for individuals within the European Union. It also addresses the export of personal data outside the EU. The regulation was approved on 27 April 2016 and will be effective as from 25 May 2018. It is applicable to all data, in any form, that can be used to identify a person. This means it also applies to paper data.

The impact of GDPR on your paper data

1. Data management transparency

As a result of the GDPR, organizations will have to improve their information management transparency. At any time, a company must know which personal data is being processed and where the information is stored, regardless of the form. You can find adequate tools to do so in your digital information management system, but what about your existing paper documents? Are you really planning to inspect all your paper files in search of those containing personal data?

 

2. Data Protection Officer

Like any organization, your company will certainly have a paper archive somewhere. Who is responsible for it? Who can you call if you need information that’s hidden in an archived paper document? GDPR recommends or, in some cases, imposes to appoint a Data Protection Officer (DPO), in charge of your digital and paper archive. The DPO monitors compliance, advises the board and operational team and is the contact point for the supervisory authority (CBPL/CPVP in Belgium). The DPO could be an employee or a third-party, but he has to be independent of the board.

 

3. Data leak prevention

Paper documents have one huge asset compared to digital files: paper cannot be accessed from the outer world. Still, the question is: how can you prove that no one has altered or accessed the information within a paper process or archive?

 

4. Privacy by design

When installing or evaluating your processes, always take privacy as a starting point. The GDPR obliges you to comply with privacy rules from the beginning, even for paper based processes. A continuous focus on privacy results in a process that makes it difficult to copy and distribute paper documents that contain Personal Identifiable information (PII).

But there must be some other way to ensure privacy of personal information…. Maybe it is time to digitize your processes?

 

5. The right to erasure

Article 17 of the GDPR stipulates that every data subject is entitled to ask an organization to erase all of its personal data. The organization is obligated to do it “without undue delay” and to prove all personal data has been permanently deleted. Of course, there are some conditions to request the deletion of personal data and in some cases an organization can refuse to proceed.

Deletion of personal information on paper

There is often more than one copy of a paper document.  E.g. At a lot of companies, important documents are copied for distribution. Another example is important contracts: Purchasing department has a copy and there is very likely a copy somewhere in a vault.

The erasure of personal information in paper archives can be rather complicated. To start with, how do you know what documents and files contain PII? And secondly how can you prove the erasure of all personal information?

The answer is metadata!

Metadata helps to identify the paper records that contain PII. We advise organizations to install a filing system that keeps track of all documents containing PII. Is this an easy thing to do? No, but there is an easier solution!

 

Digitizing your paper documents: the easier solution!

Digitizing your paper documents gives you many advantages. One of them is the secure and accurate handling of documents with personal data. By scanning all your paper documents, Docbyte captures all relevant metadata automatically using designated intelligent software. Documents containing personal data are identified as such and treated accordingly. Docbyte offers several highly effective and low maintenance options for the handling of personal data documents, all with guaranteed GDPR compliance. 

Contact us and we will help your organization prepare for the GDPR.