GDPR: Organisations ignoring paper-based risks, warns Xenith MD Justin Milligan
Lost and stolen documents a bigger source of data breaches than email, yet UK organisations are ignoring paper in their GDPR compliance strategies
Organisations are under-estimating - and even ignoring - the challenge of ensuring that paper-based documents and business processes are compliant with the forthcoming EU General Data Protection Regulation (GDPR).
That is the warning of Xenith Document Systems' managing director Justin Milligan, presenting at a packed-out Computing IT Leaders' Forum this week.
"If you look at the GDPR, of course it applies to automated personal data. But it also applies on a much wider scope to manually filed paper than the old Data Protection Act ever did," warns Milligan.
He added that for organisations with more than 250 staff the GDPR also entails not just being compliant, but being able to show that the organisation is compliant, using retention schedules, accountability, record-keeping and other measures.
While that is challenging enough with computerised records and business processes, projects already underway can help organisations achieve this level of compliance, as well as helping them to more efficiently manage subject-access requests under the GDPR.
But how can organisations demonstrate that their manual, paper-based processes are also GDPR compliant - not to mention efficiently meeting the GDPR's 30-day deadline for subject-access requests - asked Milligan.
The scale of the challenge is reflected in the fact that managing paper and paper-based documents remains a significant security challenge for organisations as well.
Milligan pointed to Risk Based Security's 2016 Data Breach Report, which indicated that lost, stolen and mislaid documents account for more data breaches than email.
Furthermore, added Milligan, there's a significant gulf between UK organisations' preparedness for GDPR in this area and US organisations' preparedness, according to research by analyst group Quo Circa.
It found that while only 38 per cent of UK organisations' GDPR strategy included print, some 75 per cent of US multinationals' GDPR encompassed print.
Major US organisations, suggested Milligan, had already tackled similar issues with the Sarbanes-Oxley Act, passed in 2002 after the Enron, WorldCom and other financial scandals in the US.
Sarbanes-Oxley included measures intended to tackle corporate and criminal fraud, which entailed severe penalties for executives if their organisations were found to have manipulated or destroyed financial and other records, including emails and paper documents.
Those severe penalties helped concentrate executive minds, kicking off a frenzy of activity among major US organisations, meaning that many (but by no means all) of the document and records-based issues entailed by the GDPR have already been faced by US multinationals operating in the UK and across the European Union.
With less than nine months until the GDPR fully comes into force, time is already running short for many organisations.