People and paper: The well-intentioned threat of data protection and privacy?

At the end of last year, the European Parliament and Council reached agreement on the General Data Protection Regulation (GDPR) proposed by the European Commission. The new rules, which will come into force in early 2018, represent the greatest change to data protection legislation since the dawn of the Internet. They will affect any organisation across the world that handles data of European origin.

The reforms, which aim to reflect the changing needs of the digital economy and champion the data privacy rights of the individual, may be difficult to apply to paper-based information, not to mention the employees printing off and using that paper.

In an increasingly connected and digital business environment, organisations can underestimate the extent of this challenge. Firstly, they may be unaware of just how much paper is created and used by their employees every single day. According to the information management industry association, AIIM, 40 per cent of office workers still prefer to file their most important information in paper form. Further, while 40 per cent of organisations say that more than half of their invoices are now delivered electronically – 35 per cent admit that most of these still get printed off.

Secondly, while many companies have robust information management processes in place, not all of them check whether these processes are effective. In a study with PwC we discovered that 79 per cent of mid-size companies in Europe and North America claim to have a detailed inventory of what information they hold and where it is held – but around half of them don’t check whether this is accurate.

Human behaviour does not always fit neatly with process. People forget, ignore or work around guidelines they find too complex or restrictive; and handle paper documents in ways that can undermine the best intentions of the information governance team.

Among companies that don’t have processes in place the risks can be even higher. Iron Mountain research shows that close to a quarter (22 per cent) of companies have no policy regarding paper filing and employees are allowed to decide for themselves what they do. In such an environment it is likely that no single person or defined team has complete oversight of what information is stored where, and whether the storage is secure.

Added to this is the fact that paper can lead a double or even treble life. It can be copied and printed multiple times by different people and easily removed from the workplace. Often this is done by diligent employees taking work home with them – or by new or temporary employees unaware of what constitutes confidential or sensitive information. It can also reflect over-stretched staff not having the time to manage information properly; and sometimes the mismanagement of information results from a lack of common sense or consideration.

If their employers try to implement the requirements of the new GDPR, such as the ‘right to be forgotten’, they may discover that even after digital records have been amended, employees could be keeping the information alive on paper in a desk drawer or in their home office.

The combined vulnerability of paper and employee behaviour has resulted in a number of damaging data breach incidents. The penalties for breaches are set to increase significantly with the GDPR reforms. The annual Privacy and Security Enforcement tracker report from PwC provides a fascinating insight into the ways in which employees can put paper-based data at risk.

Incidents in 2014, the latest year for which data is available, included a box containing information on murder and child abuse cases left behind at the former police station after an office move; a social worker losing a paper file with sensitive client information after leaving it on a car roof before driving off; an estate agent disposing of customer passport and tax records in a transparent rubbish bag on the pavement; and a psychiatric consultant losing a bag containing sensitive personal data while cycling home from work.

We therefore advise companies to ensure that their formal information management policies and processes are accompanied by relevant and regular training and communication programmes for employees. These should show staff how to manage information securely and how to support a business-wide culture of information responsibility.

For data protection measures to succeed, every employee must understand what constitutes private or confidential data and how to handle it. Companies need to make sure that only authorised people can access or make copies of paper documents that carry personally identifiable information. Further, paper storage, retention and destruction processes should all be reviewed with privacy requirements in mind – and adapted where necessary.

Many businesses have accumulated vast paper archives, stretching back decades. This will include personal information the company is entitled to hold on to – but may well contain information that could, and perhaps should, have already been disposed of. With the GDPR on every business’ doorstep it is more important than ever to know what you have, where it is and with whom, how to get to it when you need it, and when to delete it defensibly – that means disposing of it permanently and completely, wherever it may reside.

Gavin Siggers, Director of Professional Services, Iron Mountain