Wow, what? Physical format? Paper!?
GDPR APPLIES TO PHYSICAL AKA PAPER DOCUMENT WITH SENSITIVE CUSTOMER INFORMATION!
Did I blow your mind? Is this the first time you have ever heard this? I'm pretty confident that it is. Personally, I've never heard a single person talk about it.
While the drafters of the GDPR intended for it to be “technologically neutral” the regulation only applies in two situations: (1) where processing of personal data is conducted by “automated means,” and (2) where processing of personal data is not conducted by automated means, but the data “form[s] part of a filing system or [is] intended to for part of a filing system.”
Let's look at number 1, “automated processing” – we assume that this means data stored electronically. After all, in what situation would physical data be“automated”? One example would be records/data that are in the process of being converted to a digital format. (Ex. Uploading your old paper contracts to the Cloud or employee files)
How exactly would number 2 apply to physical records/data? The term “filing system” is defined as “any structured set of personal data which [is] accessible according to specific criteria, whether centralized, decentralized or dispersed . . . .” Meaning, any files that “are not structured according to specific criteria” do not fall within the scope of the regulation. What the eff does that mean? In normal terms, it means any documents that are currently being handled, sitting on your desk to have the data input into your system, being printed off of the printer, scanned into the network, etc.
Those examples can be claimed to not be governed by the GDPR as they are not "structured or accessible to easily be searched".
Number 2 says: where processing of personal data is not conducted by automated means, but the data “form[s] part of a filing system or [is] intended to for part of a filing system.” Again, in basic terms, paperwork that is filed away and can easily be searched makes them subject to the GDPR. So, paperwork that is in a filing cabinet....? Yup.
The following are a few examples of common situations in which paper records are arguably governed by the regulation:
Files placed in a filing cabinet indexed by name.
Files placed in wall-mounted file hangers that are labeled and sorted by name.
Payroll files and new hire paperwork (Ex. I-9s, W-9s).
Expense reports that are sorted by function (Ex. hotel, travel, etc.) and then internally sorted by employee.
Human resource records that are sorted alphabetically by employee.
Employment or vendor contracts.
Personal banking and accounting records for your clients.
I want to make one thing very clear, this does not only apply to an office setting. This absolutely does apply to home-offices. If some who accesses any type of data that falls under the GDPR that is not authorized to or is not apart of your business, it will be a GDPR breach and violation. Your client's privacy is equally as important if you are in an office setting or not. That is something that we tend to be very lax about. It's our home, what could go wrong? What could actually happen? Well, a lot could happen. Family members, children's friends, your friends, cleaning lady, pest control person, the contractor that is remodeling your home, Geek Squad, nanny, etc.
GDPR fines are massive and are per-instance. This is actually a very easy "fix" and in some cases may not even require you to spend any money...if your desk has a lock, use it. If you have a filing cabinet with a lock, use it. If not, go buy one, or buy a cheap doorknob with a lock and use a closet to secure your paperwork.
Our next blog will talk about how GDPR applies to emails and scanning documents....I bet you can't wait!
This post is not legal or financial advice and is only educational in nature. This post does it constitute a consultant-client relationship.