The concept of GDPR compliance can sometimes feel quite abstract.

It is often mentioned as part of a Cookie consent banner when navigating a website, included in the terms and conditions when downloading an app, or featured in the news when a company such as Mark Zuckerberg's Meta is fined a record-breaking sum of money for consistently mishandling data.

These encounters with the four-letter legislation all belong in the digital world, contained within our screens. But does GDPR apply to printed documents?

The brief answer to that question is ‘yes’. All data - whether it be on our mobile phones and desktop computers or within the files that may haphazardly fill your office space - is subject to GDPR, requiring an individual’s explicit consent to the data collection, alongside secure storage, and timely, comprehensive destruction.

While your GDPR obligation is the same whether the files are tangible or digital, the methods for achieving that responsibility must differ considerably. Before we explore the considerations required when storing physical files, it is first necessary to define exactly what we mean by ‘GDPR’.

 

What does GDPR mean?

GDPR, short for the General Data Protection Regulation, was created by the European Union in 2018. This comprehensive framework lays down a series of regulations meticulously crafted to ensure the security of personal data belonging to EU residents. Irrespective of whether an organisation is geographically located within an EU country or not, it has a legal obligation to prevent any mishandling of sensitive information relating to the bloc’s citizens.

GDPR provides strict guidelines for the collection, processing, and storage of personal data. All of these things must adhere to principles of legality, fairness, and transparency. What that means in practice is that your organisation must have a lawful reason for collecting personal data, the processing must be conducted in a fair and transparent manner, and individuals should be informed about how their data will be used. 

Individuals must also be given the easy opportunity to opt out of having their data collected and processed, and they also have the explicit right to know what data is being collected about them and how it is being used.

 

Does GDPR apply to physical documents?

Yes. As we have already mentioned, the General Data Protection Regulation applies to all forms of data, whether that consists of client addresses within a digital spreadsheet or medical notes that have been handwritten in a physical notebook.

Consider, for instance, a law firm maintaining paper records containing sensitive legal information. Under GDPR, these physical documents are subject to the same stringent data protection principles as their digital counterparts. You, as an organisation, have a responsibility to safeguard information that can be linked to an identifiable person, whether that data is online or written in the real world.

But as you probably know, the concept of safeguarding information will look very different if the files are physical.

 

How do your GDPR obligations differ when storing physical files?

If a piece of data is stored digitally, it is quite easy to restrict access to it, supply it to the individual it relates to, and - at the end of its lifecycle - destroy it. A printed document, however, requires additional effort on your part. Here are the three most substantial considerations when storing physical data:

 

Access controls

One of the most important requirements of GDPR is that only parties explicitly authorised by the individual have access to their data. Online, many of the access controls - such as user authentication, role-based permissions, encryption, and audit trails - function automatically. As a result, the individual can prevent third parties (such as Google Analytics) from viewing and utilising their information.

In the physical world, the core responsibility of limiting access still remains. If an individual has not given a particular party explicit permission to view their data, you must still ensure that they are entirely unable to do so. Of course, encrypting words on a paper document is almost impossible and certainly of little use. Instead, you should store files in a secure facility with restricted-access areas and lockable filing units. To monitor access, you might implement a sign-in and sign-out process which can be regularly reviewed to prevent any breaches.

If you recognise that access to physical files relating to individual data (such as employees or customers) within your organisation is not controlled, it is time to substantially improve security or consider entrusting the job to document storage specialists.

 

Stacks of physical files

 

Data portability

GDPR grants individuals the right to obtain and reuse their personal data across different services. Online, for example, a user might like to change music listening platforms from Spotify to Apple Music. To do so, they have the right to request information regarding their listening preferences in a commonly used digital format to make the transition far easier. Likewise, the portability of financial data can help an individual to switch from one bank to another. 

Online, formats can be converted quite easily, and many of these digital platforms are more than equipped to handle huge amounts of data. If you are handling physical files, however, the process of providing a user with their information or passing it on to another party in an accessible format will likely require additional effort, perhaps involving scanning a high volume of documents.

If you were to cast your eyes across the physical files you are currently storing - perhaps cluttering up a room that could have an alternative and better use - how long would it take to find an individual’s data, convert it into a readable format with bulk scanning, and send it over within a reasonable timeframe?

 

Data destruction

Once data is no longer needed for its original intended purpose, GDPR specifies that it must be destroyed. Much like access controls and portability, this is a function often carried out automatically, triggered, for example, once a specified period has elapsed after a purchase has been made. The data is usually wiped entirely, and cryptographic techniques ensure that it is irrecoverable.

Physical data, on the other hand, requires physical and manual destruction. While burning it certainly ensures it cannot be recovered, secure shredding is far more sustainable and still achieves the necessary irrecoverability.

If your physical filing system isn’t optimised, one individual’s data could be mixed in with another’s. This fact alone has the potential to become a data breach, but it also means that you could inadvertently destroy an unintended piece of information. If you have not got the time or inclination to properly catalogue and appropriately dispose of physical data, it might be a sensible choice to contact document destruction specialists such as ourselves.

 

What are the penalties for non-GDPR compliance?

If an organisation mishandles a client’s information or does not put the necessary security measures in place to prevent it from being stolen, for example, they are likely to face a large fine. GDPR fines can be as much as € 20 million or 4% of a company’s annual revenue (whichever is higher) for severe or repeated offences. The fine is lower - € 10 million or 2% of a company’s annual revenue (whichever is higher) - for milder or first-time offences.

 

What can you do to ensure GDPR compliance?

Many organisations - such as public bodies or those working with large amounts of sensitive information - are legally required to appoint a dedicated data protection officer. Even if you are not obligated to do so, appointing one at your organisation - even if their GDPR duties sit alongside their day-to-day work - could prove beneficial.

 There are other ways to ensure you meet your legal obligations, such as monitoring how you process and store your data, and being aware of any changes to GDPR legislation - after all, this is not something that is set in stone.

 

But there is one final method of ensuring your physical data is GDPR compliant;  you can entrust that responsibility to document storage specialists such as ourselves, who have been providing hassle-free, affordable solutions for more than 20 years. Whether you want to store digital or physical files, or dispose of them in a way that keeps confidential data confidential, speak to our team today.