PHYSICAL DOCUMENTS – THE ULTIMATE GDPR GOTCHA?
You’ve analysed every GDPR risk and identified every piece of personal data. You’ve issued swipe cards and assessed authorised privileges. You’ve instituted a GDPR-compliant process for every data eventuality and ensured thorough auditing of every document-related action. You’ve even brought in the GDPR legal eagles who’ve given you a clean bill of health.
And then – come GDPR deadline day or later – some bright spark leaves a print-out of the entire customer database hanging out of the office paper recycling bin.
GDPR is more than just technology
Just what should and shouldn’t happen with physical paper documents is the glaring blindspot in every GDPR plan. Any organisation’s GDPR compliance can be torn into shreds once users disengage with the whole purpose behind data privacy and treat prints and scans without the sensitivity they demand.
Consider the following scenarios:
- A meeting in a shared conference room concludes with nobody gathering up all the print-outs left on the table. You breach GDPR compliance because the print-outs include personal data.
- Employees are in such a rush that they leave all their unused sensitive documents in a neat pile for the office administrator to shred when he/she comes back off holiday. You breach GDPR compliance.
- A few staff are a bit behind on their office chores so all the paper recycling bins are overflowing. GDPR compliance is breached.
- It’s Cathy’s 40th birthday so everyone leaves at 5.30 sharp to get to the pub, and a few people neglect to clear their desks. Some desks have sensitive data documents on them – a GDPR breach.
- According to the vagaries of GDPR, each of these scenarios change the status of a document from being securely held under a compliant process to being a ‘public document’. And that, in turn, drastically alters the compliance status of the organisation responsible.
Back to basics
Rather than the work of master criminals, the kind of GDPR breaches described above are little more than innocent examples of human beings doing what comes naturally; being fallible. But try telling that to the authorities who could end up issuing exorbitant fines or other legal censures.
It’s worth putting GDPR to one side for a moment and considering that breaches like this should not happen regardless of compliance requirements. Individuals are entitled to have their personal data treated sensitively and confidentially, and leaving pieces of paper lying around very obviously flies in the face of that.
People and processes
The mitigation is more than just staff awareness or even training. Awareness allows an easy ‘get-out’ from people’s innate sense of responsibility. The key is to foster sensitivity to the issue and define processes that all individuals consciously engage with. These processes, when documented, support the achievement of GDPR compliance, and demonstrate a commitment to best practice even if something does go wrong in the future.
KYOCERA technology is at the forefront of enabling organisations to achieve the optimum cybersecurity and data governance posture, but even we recognise that technology only gets you so far. Your people are your ultimate defence against any threat to data protection or privacy, and fully addressing this need could be your best GDPR investment.