As part of our normal work, we get to visit lots of business customers premises across the South-East, primarily in Sussex, Surrey and Kent and have many customers in Eastbourne
It never ceases to surprise us how long some businesses keep their records, for example, the one that had been storing its old records each year into their attic above their premises, then when they needed to move, there were 20+ years’ worth of records and tonnes of paper stored above them, it was a wonder the ceiling didn’t collapse.
Then there was a customer whose business, at its peak, had employed over 600 people and they had never thrown any documents away since the business was founded in the 1880’s, they had even kept huge piles of the old-fashioned dot matrix computer paper for the weekly payrolls with people’s salary details going back to the 1970s when that type paper started to be used, we ended up shredding 27 tonnes of records at that location.
So, if you have a lot of old documents and records in storage you are in good company, but in May 2018 the General Data Protection Regulation (GDPR) will come into effect throughout the EU and will replace the UK’s current Data Protection Act. There are only 9 months left to meet the May 2018 deadline so now is a good time to take stock of your own business, and its storage before next year. GDPR will not only change how a business deals with cybersecurity threats, database vulnerabilities and hacking but also how data is moved around from computer to computer, plus it will cover all types of media.
The consequences of falling foul of the GDPR are shocking, regulators will be able to impose fines up to €20,000,000 or 4% of the organisations total worldwide annual turnover. Why I hear you say is that an issue for us with our old paper records stored away?
This depends on what type of records you have, typically about 6 years for most business records, i.e. long enough for the tax authorities to go back at least five years after filing of those records.
There are very long retention periods in the health sector, for example, GP records should be retained until 10 years after the patient's death or until someone has left the EU. All records for children should be kept until the patient is 25, or eight years after their death, if sooner.
Maternity records must be kept for 25 years after the birth a child, records associated with mental health should be kept secure for 20 years after the last contact between the patient and the healthcare professional, and for 8 years after their death if sooner than 20 years. Electronic patient records must not be destroyed or deleted for the foreseeable future.
Remember though, however long the information is retained, this is irrespective of format and includes: paper, DVD, CD ROM, magnetic tape, microfiche and electronic records.
Whilst organisations can often set up their electronic records systems to flag those records that are due to be destroyed in accordance with the GDPR, staff often make printed copies which then sit in a folder somewhere, so that when the digital file is destroyed a paper version could be still retained somewhere, resulting in a non-compliance and then prosecution.
The GDPR states “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes……”
Once a record is past it's required use date, ensure it is destroyed, digitally by the deletion on all databases or by shredding and recycling the paper records.
These days it does make sense to work with digital images, this means moving to a system where all inbound documents are scanned and stored as part of your information management processes with the GDPR deadline next May, is it makes sense to go paperless.
This of course, as with many things is simpler said than done. You can control all the new records as they are created, but then the major task for any business is scanning all those records that are still valid and need to be retained, or even just being able to sort these out from all the other records in storage.
There is, of course, a cost for these systems, which must be borne in mind and of getting the old paper records destroyed, which can be done at the end of the scanning process or sequentially as you go along, the latter may well help you to free up space and of course lessens your risk of holding unnecessary records and running foul of the GDPR.
When I joined Shredded Neat I found that whenever we visited a customer and left them with a Contract or a Duty of Care Waste Transfer Note, we had three copies of each note, white yellow and pink – why?
No-one seemed to know, so the next time we reprinted them we dropped down to two copies, one for the customer and one for ourselves and nobody noticed! What happened to all those pink copies? Presumably, most were either filed with the yellow copies by ourselves or destroyed.
The other area to watch out for is when people print off documents so they can read them instead of on the screen, or print off numerous copies for a meeting perhaps, maybe they were all put into packs and folders and circulated to staff?
Where did they go, who took them, are people wandering around with briefcases full of your confidential documentation, how much do they have at home??
I bet some of your staff’s domestic document processes leave a bit to be desired, if they are dropping them in the rubbish bin, then pretty much anyone could be reading them from their cleaner to the bin means, or anyone walking past as landfill - as paper tends to blow about.
Human error and handling of documents can result in a complete lack of document control and exposes your organisation to a data breach.
You may well have read a lot recently about people who have inaccurate or damaging information about them left on websites or social media sites. The right to erasure (the right to be forgotten) is a simple principle, which gives the person the right to request the deletion or removal of their personal data.
So, if your organisation gets asked to do this and any data relating to the inaccurate or damaging information needs to be destroyed, just imagine how difficult that’s going to be if some of this information is stored away in paper files somewhere as well, they might be in the building, or in off-site storage, let’s hope your off-site storage doesn’t look like this.
All the while that information lays in storage somewhere you are potentially in non-compliance with the GDRP and open to prosecution and potentially a huge fine.
So - our recommendation is to sharpen up your storage plan, make time in your busy schedule to have a clear out, remove old boxes and folders and then make sure what has to be destroyed is placed somewhere secure prior to collection.
The records that need to be destroyed should be ideally well away from your storage area, so that staff don’t just add their own documents to the pile of more current information, and somewhere only key members of staff will have access to.
At Shredded Neat, we can provide many different types of a temporary storage container for you waste records until they are ready to be collected, from sacks with ties through to 1100L bins and take away filled container very quickly if you are based in the Eastbourne area or elsewhere in Sussex.
Member since: 17th May 2012
Has been involved with the running of Shredded Neat Limited since 2012, mainly focused on business development and environmental performance having spent 37 years in the environmental sector and run nearly...