Data management is an issue all businesses need to grasp. No business is too small for GDPR to apply to it. Part of the reason for this is that no business is too small to be a target for criminals.
With that in mind, specialists in data archive storage and destruction, Rads Document Storage share tips on how to keep your office clutter to a minimum while still complying with the law.
Keep your data in digital format
There are still some records you need to keep on paper. There are also some records it’s advisable to keep on paper. These days, however, these are the exception rather than the rule. If you want to clear paper clutter from your office, then usually by far the best way to do it is to scan all your paperwork. Then organize it. The one caveat here is that you need to make sure that all scans are legible.
Know what you have and where it is
You can only manage your documents if you know what documents they have and where they are. Again, this tends to be much easier with digital documents than with paper ones. With paper documents, it’s extremely difficult to guard effectively against unauthorized access and copying. With digital documents, by contrast, it’s much easier to implement robust access controls.
Likewise, make sure you know what data you’re collecting. You should only be collecting data you really need and/or really want. If you’re collecting personally identifiable data, then you need to make sure that your grounds for doing so are GDPR-compliant. You also want to avoid relying on consent if you possibly can.
Check your statutory retention period(s)
Knowing what you have is a prerequisite to being able to check the relevant statutory retention period(s). As a rule of thumb, any document with legal and/or financial and/or medical implications probably has a statutory retention period. Even if it doesn’t, there is likely to be a recommended retention period. This is usually the period in which you could potentially be sued.
Check if there are restrictions on how long you can hold documents
Similarly, if documents contain personal identifiable data (i.e. data covered by GDPR), you will usually be required to destroy them as quickly as possible. What this means in practice depends on the data. The guiding rule, however, is “use it or lose it”.
If you’re not actively using it, then you should only be keeping it if you have an extremely good reason to do so. That would typically mean either a statutory retention period or a recommended retention period.
In general, the easiest way to ensure that documents are deleted when they should be is to tag them with a “delete on” or “delete by” date. Again, this is much easier to do with electronic documents than with paper ones.
Assess your backup policy
On the one hand, backups are an essential part of making sure that you always have access to your data no matter what happens. On the other hand, you can have too much of a good thing. Remember that backups are a double-edged sword. Yes, they do protect you against attack. Ironically, however, your backups are also an attraction to attackers.
The key to resolving this conundrum is to make sure that you have an appropriate number of backups. Many companies opt for two, one onsite and one offsite. If you’re working in the cloud, that translates as one in your regular cloud and one in another cloud. Your local backup helps you restore after temporary disruptions. Your offsite backup helps you restore after disasters and/or cyberattacks.
Make sure all documents are stored and destroyed securely
Paper documents should be stored with an appropriate level of security and then properly shredded before being recycled. Digital documents should be stored encrypted and properly deleted so that they cannot be recovered.