Managing Physical Paper-Based Records: A Blind Spot in GDPR Compliance

The General Data Protection Regulation (GDPR), which will go into effect in May 2018, refers to a new set of rules by which the European Union (EU) intends to strengthen and unify data protection for all EU citizens. As proposed, GDPR has huge implications extending to virtually all areas of the enterprise, with the main goal of reinforcing customer data protection. Any company serving customers in the EU – and this includes an estimated 80 percent of U.S.-based businesses – needs to ensure GDPR compliance, or face fines of up to 4 percent of annual global company revenue.

To date, much of the proposed GDPR legislation has focused on electronic customer data – how it is collected, processed, shared and stored.?With an estimated 60 percent of customer data residing in business documents, GDPR is once again shining a light on records management protection. Many organizations already have advanced policies in place that include data retention protocols and the ability to audit electronic records and documents, including users who have viewed the document, how many times a file was opened and time stamps for when files were accessed. Even so, records management systems typically lack the ability to manage physical records, which is a vitally important component of GDPR compliance.

Kicking the Paper Habit 

A paperless business environment has been proposed as one solution to easing GDPR compliance. The paperless office is not a new concept; in fact, Businessweek published an article in 1975 that envisioned a paper-free corporate existence. Four decades later, organizations are  still chasing a paperless reality largely driven by noble aims such as environmental stewardship and waste reduction.

Paper has endured, because while digital communication is often ideal for shorter correspondence, people are more adept at reading and absorbing lengthier content in its physical, printed form. According to one 2016 study, 92 percent of college students prefer reading on paper, underscoring the need to integrate traditional paper-based and digital document management. Consider the example of an employee making print copies of a digital file: a GDPR-driven retention policy may destroy the digital file, but if a paper version still resides in an office drawer, the guideline is breached.

Guidance for Navigating GDPR 

GDPR policy lays out six principles regarding customer personal information. These include provisions that data be “retained only for as long as necessary,” and “processed in an appropriate manner to maintain security.” And it’s not enough to comply with GDPR – companies must also demonstrate compliance. Given the regulatory intent, it’s easy to see how physical business documents represent a significant GDPR compliance risk. Specifically, there are three major transition points where data is especially vulnerable as it’s shared back and forth between its physical and digital forms. These include printing, network email and scanning.

Print Management: Multifunction printers (MFPs) are an example of how print data can be compromised from a seemingly innocent source. Because most MFPs are connected to the internet, they offer anonymous “off ramps” to the outside world. Every day, huge volumes of documents and personal data are transmitted to MFPs, and without security defenses, such printers can be breached, leading to data compromise and noncompliance.

In addition to external threats, malicious internal actors can find it easy to damage a company, if there are no protections to manage what can be printed – and by whom.?Companies can address this by controlling access to printing, including restricting access to print permissions and using print management software to keep a record of all outputs, thus helping organizations to track all print jobs.

Not all data leaks are due to ill intent. Often, human error leads to documents being forgotten on the paper tray or mistakenly picked up by the wrong recipient. Transportation of data in any format (including paper) is a risk to information security. One slip and it can be too late – an employee leaving paperwork on the train, or a courier losing an archive box, for example.

Print software can also be programmed to hold print jobs in a secure network queue until authorized to release the document by the user who printed the document from any device connected to the network – either with an identification badge or number. This can reduce the likelihood of documents falling into the wrong hands, while still affording users the freedom to pick up documents when and where they want.

Email: Accidentally sending an email to the wrong person can result in grave consequences if the email includes private information such as Social Security numbers, bank account information or birth dates.?Companies can protect documents with sensitive information from being seen by unintended recipients by requiring passwords to open files or using a redaction tool to cover sensitive information – both of these are capabilities commonly included as tools in PDF software.

Scanning: Combining the presence of sensitive information with uncontrolled access to scanning creates an unsafe environment, and puts confidential information housed on paper documents at risk of being shared digitally.

Restricting document access by placing privacy filters within scanning applications adds an extra layer of security for the data housed on these documents. When paired with technology that converts the image captured to searchable text, these filters can recognize words like “confidential.” When these types of terms are identified, the files can be automatically encrypted or even deleted.

Preparing for GDPR 

GDPR’s sweeping regulations are introducing a host of new requirements. While the focus is often placed on cybersecurity threats, server and database hacks, and stored electronic data, paper documents, paper records and data transmitted across corporate networks are all too often overlooked.

Forbidding paper in favor of an electronic-only data environment is an option in some cases, but the stark business reality is that most organizations are not willing (or able) to transition to a completely paperless workflow. Against this backdrop, organizations must ensure their paper records adhere to GDPR guidelines, which will require focus and discipline. Techniques such as those described above provide important first steps to integrating physical and electronic document management by providing the two data types equal prioritization and achieving a more comprehensive level of GDPR-readiness.

This article originally appeared in the November 2017 issue of Workflow

directs the worldwide marketing and global alliances for Nuance’s Document Imaging division. Previously, he was director of Product Management for Nuance’s Productivity Division where he successfully drove growth and expansion of speech and imaging technologies. He came to Nuance in 2000 from Xerox Corporation where he held a variety of marketing and strategy positions. Strammiello holds a B.S. in marketing from the University of Connecticut.