The GDPR And Paper Files
The GDPR And Paper Files
By Alan Donohoe Redd M.Sec.I.I. ©
The General Data Protection Regulation (GDPR) came into force on the 25th of May 2018, replacing the existing data protection framework under the EU Data Protection Directive. Regulators and legislators may have been thinking about businesses such as Google, PayPal and Facebook when drafting the regulation but the definitions set out in Article 4 of the GDPR make it clear the regulation applies to anyone holding or handling personal data, on any scale, and this most certainly includes paper files.
What Happens If You Do Nothing?
Under the GDPR, organisations in breach of the regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, however violating the core of Privacy by Design concepts (for example, not having paper records secure and in order), can attract a global fine of 2%.
Under the GDPR data controllers must implement verifiable data security systems that are specifically appropriate to the risk environment. These systems are required to protect data against accidental or unlawful destruction, accidental loss, alteration and unauthorised disclosure or access.The system must also provide a record of when data is accessed, by whom and why. A risk assessment for ensuring compliance must be conducted, retained and readily available.
Article 35 (3) – GDPR
A data protection impact assessment shall in particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.
What Is Meant By Data?
Data, as defined in article 4 (1) – GDPR
“‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
In other words, if your organisation handles personal data in any form whatsoever, that can be used to identify an individual your organisation is holding personal data and has a legal responsibility to handle that information in compliance with the GDPR.
What Is Meant By Data Processing?
Many organisations don’t think that collections of paper files have anything to do with data “processing”. Fortunately or unfortunately, depending on your point of view, this is not a view shared by the European Union.
If you have personal data for any reason and in any form, you are processing it. This in turn means you have a legal duty of care to protect that information against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access and you must record when it is accessed, by whom, and why.
Article 4 (2) – GDPR
“‘Processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
What Access Records Must Be Maintained For Paper Files?
Article 30 (1) – GDPR
“Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
(a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
What Security Measures Must Be Taken For Paper Files?
All paper files containing personal information are required to be secured against, unlawful destruction and unauthorised, unrecorded access. Furthermore, as we already said, there is a legal requirement to record who accessed the files, for what purpose and when. This information must be recorded and maintained.
Article 32 (1) – GDPR
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Can My Organisation Keep Data Related To Individuals For Long Periods?
Yes, but there must be a demonstrably legitimate reason for this such as a regulatory or legal requirement and appropriate organisational measures should be taken such as hierarchical levels of access with a clear division between what data is needed to operate day to day and what information is being archived long term for other legitimate reasons.
Article 25 (2) – GDPR
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.“
What Does All This Mean In Practical Terms?
Firstly and to be abundantly clear, this means that the GDPR applies to all documented information that relates to individuals such as, HR files, legal files, customer files, medical files and employee data.
What this means in practical terms will of course vary by organisation and by volume and type of records. This is where a competent risk assessment is an indispensable requirement.
Ubiquitous Paper files
Paper files with personal information are required to be protected against unlawful destruction and unauthorised access. Furthermore, as we already said, there is a legal requirement to record who accessed the files, for what purpose and when. This information must be recorded and maintained.
This is not optional.
For smaller volumes the solution can often be simple and relatively inexpensive. Where larger scale volumes of paper files are concerned, arriving at a solution is a longer process, but in either case, a physical data security expert’s advice is the invaluable starting point. There are a number of off the shelf solutions to the more common issues of physical GDPR compliance, but how they are applied or combined, is critical.
This is what the “Privacy by Design” concept of the GDPR means. Whatever system you use it must be demonstrably secure, restrictive, hierarchical and suitable for purpose. Without an in depth understanding of the underlying requirements and intent of the GDPR, a great deal of time and money can be wasted to no avail.
In short, when it comes to the GDPR you absolutely cannot afford to take unqualified advice. Always insist on documented qualifications before soliciting advice on physical GDPR compliance. The solutions are available, but implementation and ease of application are crucial to success.