GDPR Document Strategy Checklist
Paper is just one part of the problem. Corporations have traditionally viewed document management overall as an overwhelming task encompassing both paper and digital documents. The same survey from AIIM found that the management of digital documents, including Microsoft Office and scanned documents, is often characterized by workers as “chaotic” or “somewhat mismanaged.” With GDPR, document management is no less easy and shortcomings even more risky. It doesn’t need to be this way. When it comes to shoring up document management processes in a GDPR world, think evolution, not revolution. Follow this checklist to ensure documents, both paper and digital, are compliant with the EU’s new regulations:
Digitize paper documents—Digital documents are inherently more secure than paper documents. Compared to paper documents, there is less opportunity for inappropriate access, tampering and loss. Digitization is the first step to improving document security. Today, tools are available that enable even the most daunting volumes of paper to be quickly and easily converted to searchable PDFs in bulk, with minimal human intervention. When paper documents become searchable PDFs, the task of identifying instances of personal data becomes easier and more accurate by eliminating the need for workers to pore over paper documents.
Employ redaction and encryption—Digital documents have another important security advantage over paper – the ability to protect data through redaction and encryption tools. Artificial intelligence tools enable automatic identification of sensitive data within digital documents, such as social security or account numbers, and immediately encrypt or redact the data. This means that even if a digital document is duplicated or distributed maliciously, the sensitive information is still protected.
Secure the MFP—According to a Xerox Quick-Start Guide to Print Security, it’s estimated that 25 percent of print jobs are never picked up at the printer. This puts data residing in paper at high risk, while also wasting significant resources. Unrestricted printing and an undefined printing infrastructure are often overlooked as security threats, but the MFP is a crucial area to secure consumer data from accidental security breaches. A variety of tools are available that can safeguard the MFP and target at-risk transition points when data is converted from paper to digital or vice versa. “Follow me printing” holds jobs in a print queue until an authorized employee authenticates their identity for pickup with a code or ID badge. Businesses should also look to set parameters around the MFP that restrict what can be printed by whom, what scanned documents can be routed and where, and what information should be redacted before printing.
Log the handling of documents—The MFP controls described above are examples of logging techniques that make it much easier to identify who is accessing what data (both paper and digital) and when. Audit trails are important because of stricter GDPR-mandated timeframes for reporting data breaches. It is also important to remember that even if an organization is GDPR-compliant, it might still experience a data breach and need to report it. Logging capabilities that include timestamps make it easier to demonstrate adherence to breach reporting guidelines.
GDPR is a complex, sweeping law, and even though the May 25 deadline has passed, many organizations still have areas and processes to improve. Paper is often overlooked, and it would not be surprising if many companies failed to consider paper-based data when preparing for GDPR. As of today, achieving GDPR compliance only requires organizations to prove that they’re putting their best foot forward and making their best effort to protect sensitive data. That’s good news, but businesses should not be satisfied with “trying” as their final step. In many ways, GDPR is a great trigger to address onerous document management issues, while driving other organizational advantages including greater worker efficiency, productivity, and reduced costs. Forward-thinking companies will look past GDPR as a burdensome requirement, and instead leverage it as a strategic opportunity.