top of page

GDPR and Paper Documents

GDPR and The Affect on Your Paper Documents

The General Data Protection Regulation (GDPR) came into effect in May 2018 throughout the EU and replaced the UK’s Data Protection Act.

Failing to adhere to GDPR can result in significant penalties – Data protection regulators will have the powers to impose fines of up to £17,000,000 or 4% of the total worldwide annual turnover of an organisation. It’s never been more important to ensure that standards and procedures are put in place.


According to a UK government 2015 information security breaches survey, “90% of large organisations and 74% of SMEs reported a security breach, leading to an estimated total of £1.4bn in regulatory fines.” This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated, based on the maximum fine of 4% of global turnover.

GDPR focus is often placed on cyber security threats, server hacks, database vulnerabilities and data stored on and transmitted between servers and networks. Often though, paper documents, paper records and files are being severely overlooked, these however should be ignored at your peril.

Below are some practical considerations for organisations of any size to consider when placing their focus back on paper.


Can You Find All Of The Information You Need?

The right to erasure (the right to be forgotten) states that “The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.” 

If you can’t find this information in your paper documents, then how can you comply with GDPR? How long would it take you find information stored in paper files? Do you even know where it is? Is it in the building? Is it in storage? Are you even sure you’ve still got it? All of this searching is incredibly time consuming and costly. If you elect to destroy all your paper files to avoid the risk of holding an individual's data you potentially run the risk of destroying critical data that your organisation may need in the future.

How Many Copies Of Your Documents Exist?

It’s easy for paper documents to lead a double or triple life. The greatest threats to even the most secure information storage policy include the duplication on a photocopier, increased copies on a laser printer, insecure disposal of the documents and removal of documents from the building. Human error and human handling of documents can result in a complete lack of document control and exposes your organisation to data breaches.

Can You Keep Your Documents Private?

Privacy of data is key to the GDPR, paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and its too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of staff has files stolen from their car. These are all real world situations where paper documents can get into the wrong hands.

Are You Managing Your Retention Periods Correctly?

“The retention period of information is an aspect of records and information management (RIM) and the records life cycle. It identifies the duration of time for which the information should be maintained or retained, irrespective of format (paper, electronic, or other).”

How do you currently manage the retention periods on your paper files?

Employees regularly make printed copies of digital files, but if a digital file is destroyed and a paper version is sat in a folder somewhere then potentially your compliance with the GDPR is affected.

The GDPR states “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.“

It’s clear from the above that making your paper records adhere to the GDPR guidelines can be a complicated and time consuming task.

There is an easier way though. There are two major components that facilitate a paperless way of working:

1. The scanning and digitising of documents.

2. The use of Black Box FileCenter software and the Citrix ShareFile Cloud File Sharing service.

By scanning documents the paper files immediately become easier to manage. Instead of having an archive that may contain 100's sometimes 1,000's of archive boxes, all files can be centralised onto a handful of CD's/DVD's etc.. If the files are then OCR'd (made text searchable) they can easily be indexed and either stored locally to be managed by the Black Box FileCenter software or stored securely in the cloud via the Citrix ShareFile service. Both services offer a full text search engine which will enable users to save potentially hundreds of hours when searching and sifting through data before deciding what can and cannot be destroyed.

bottom of page