General Data Protection Regulation
For information that is accessed and referred to on a regular basis, our recommendation may be to scan the documents with the resulting data either maintained on internal systems or on one of the cloud document management systems that we can provide. Equally Storage with scan on demand may be the most cost effective approach, it really dos depend on the volume of records and the frequency of access.
Scanning is quick and efficient with documents indexed as per your requirements. Once scanned information really is at your fingertips and retention policies can be applied.
So long as the scanning is undertaken in line with BS 10008, the originals can be shredded relieving the cost of ongoing storage.
As with physical documents it remains critical that retention is properly managed and enforced, however this can now be automated reducing administration costs.
Rarely Accessed Information
Usually off-site archive storage will be the most cost effective approach for information that is rarely accessed but must be retained for reasons such as compliance. Again however, it will depend on the quantity of information to be stored and the frequency of access.
For example, company A may have 10,000 archive boxes which they access, on average, at the rate of 1 per business day (approx. 250 access requests per year) as a percentage this access rate is very low 2.5% per year. Company B on the other hand may only have 100 archive boxes and make one access request per fortnight (26 per year) giving an access rate of 26%.
For company A, the access costs represent approximately 16% of their annual archive storage costs, whereas for company B the access costs represent 57% of the annual storage costs.
Based on 7 years average retention period, for company B the cost of scanning the 100 existing boxes provides a saving of 39% over that of storing them for 7 years accessing at the rate of once per fortnight on average. Depending on the prices negotiated, this saving could be as much as £3,000 plus it brings all of the benefits of instant access to information.
For company A, storing the boxes, even with daily access, represents a saving of 5% over the 7 years used for the calculation, depending on prices negotiated this could be a saving of around £15,000.
Even accounting for the simplistic nature of the above calculations, for company B, scanning is definitely the most beneficial. For company things are a little more complicated and we would recommend a detailed study of the actual usage (i.e. repeated access to the same box may account for a large percentage of the access costs) to discover the most cost effective approach which is very often a hybrid of storage and scanning.
For business critical information where only one complete copy is in existence and this is paper based, it is recommended to scan the paper records to digital files AND to store the originals in secure archive storage. This belt and braces approach ensures that not only do you have access to the information at the click of a mouse, but you also have the backup of access to the originals should the need ever arise.
By creating and strictly applying business rules to information, costs can be kept to a minimum ensuring only the mot important information is stored both electronically and digitally.
At BCDM we have evolved to ensure that our customers have comprehensive tools at their disposal to enable total compliance with the GDPR and Information Security Standards. Our services help our customers with:
- Secure Off-Site Document & Records Management Solutions;
- Secure Document Scanning & Indexing Services;
- Document Inventory Services;
- Confidential Waste & Secure Shredding;
- Secure Backup Media Storage, Rotation & Management ;
- Data Recovery Services;
- GDPR Consultant Provision.
Paper Documents & GDPR
In many organisations, the GDPR focus is firmly on digital/cyber assets and systems with paper records often being overlooked. With the potential of massive fines along with the risk of damage to reputation, paper documents and records must not be ignored. Thankfully here at BCDM we can help you ensure that you are compliant. Key areas to consider are:
Ability to Identify & Locate Information
It has always been key to ensure that you know what information assets your organisation holds in paper format. The GDPR brings changes including free of charge subject access requests along with the right to be forgotten which introduce new challenges for organisations who are less organised than they could be.
GDPR brings a number of requirements for the storage of information:
- You must not keep personal data for longer than you need it.
- You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
The above (source https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/) makes it clear that thought must be given to what you are retaining, why and for how long. It is therefore essential to have proper document control in place that is derived from polices that are GDPR compliant.
In addition, the best protection for personal information is to remove it from harms way – off-site is usually the best option for this given that your archive storage partner will enable you to maintain a complete audit of access and actions related to the information stored, reducing the risk of human error and malicious access.
Ability to Access & Share Information
Once information is securely stored and an accurate inventory has been created it is essential that you can quickly access and when necessary share this information, whether for internal business purposes, compliance reasons, audit or subject access requests.
Our experience shows that the most cost effective method will depend on the type of information, the frequency of access and who critical the information is to the business.
Business Critical Information
For business critical information that only exists in paper form, it is recommended to both scan and store the documents. This gives the benefit of access for review at the click of a mouse with the ability to fall back to the originals should the situation arise.
To minimise costs, it is essential that information is properly categorised and retention policies are rigorously applied.