Storing boxes of data at a third-party location never used to be a problem, until GDPR came into force earlier this year, says David Fathers.
02 July 2018 | David Fathers
Releasing valuable office space by sending boxes of physical records for storage at third-party warehouses has been a useful solution for FMs for decades. And in the past, businesses were happy the boxes were safe and they were meeting regulatory obligations. Digital records and GDPR are changing that.
EU citizens have the right to ask for their personal data to be edited or deleted, and businesses are required to facilitate those requests within a strict time frame.
How can that be possible when FMs have no idea what data is stored in off-site boxes or how to find what they are looking for?
Many boxes have to be kept for legal reasons, but we estimate that up to 15 per cent of boxes stored with records management companies are past their 'destroy date' and being kept unnecessarily.
It's a bigger problem than people realise because GDPR doesn't only apply to digital data - it also applies to physical data on paper.
Keeping boxes of records when you don't need to - and when you have no idea what they contain - is a ticking data time bomb that could lead to data breaches and fines.
A lot of people are keeping these boxes just in case they don't know what's in them or they're worried about throwing something away that will become useful in future.
But that is a false economy. Under GDPR companies really need to know what data they are storing and where it is - paying to store mystery boxes really is bad news.
The general public is more aware of their rights relating to how companies manage and use information about them. The companies that act now will secure greater public confidence and thrive in the post-GDPR world.
Here is a five-point plan to reduce risk.
1 Determine which documents need to be kept
All boxes stored offsite should have a 'destroy date' determined by their contents. Regulations dictate that differing documents need to be retained for varying periods so it is not possible to have a 'destroy everything' policy.
For example, building regulations require data in the construction sector to be kept for 30 or 40 years. In the legal profession, patent and trademark data must be kept for 35 years from the point at which a patent is granted. In health, radiotherapy records must be kept for 75 years after the patient dies and many government or pharma records must be kept indefinitely.
Choosing the right boxes to destroy at the right time is vital.
2 Prioritise which boxes to destroy
Destroy the oldest boxes first, particularly boxes that have never even been opened. Always ask for a certificate of secure destruction. There are potentially millions of boxes out there that have never been opened in 10 years.
3 Identify who bears responsibility for physical data in your business
GDPR has seen the emergence of the data protection officer and brought data protection to the boardroom. But not everyone has considered physical data in their data protection systems, as many seem to think it applies only to data stored digitally.
Who is responsible for managing and retaining these documents in your business? Is it the data protection officer? Do you even have one and, if not, then who?
4 Consider the options
Secure destruction is by far the most cost-effective solution for out-of-date boxes. But it is also worth considering that for some paper-based data, scanning a digital version could be a better long-term solution.
This can be comparatively expensive and time-consuming, so it is important to understand the need for accessibility and the need to share any data across your company.
5 Take action
Not dealing with the issue is a big risk. We estimate that there could be up to 30 million cartons being kept unnecessarily in the UK, so you can see
the size of the problem. If you don't know what data you are storing, how can you be certain of protecting it? Fines for data breaches under GDPR can be as high as 20 million or 4 per cent of global turnover. However, the risk to corporate reputation could be far greater.
David Fathers is regional general manager at Crown Records Management