5 ways your data is vulnerable to GDPR compliance violations
Written by: Ruth Gooda
Publish Date: Mar 21, 2019
Read time: 8 minutes
With GDPR in effect, many organisations such as those in the healthcare and financial sectors need to review the way data is being handled, and whether or not this data is compliant with the regulation.
Organisations in these sectors handle a great deal of personal data on a daily basis - from patient records to sensitive financial information - and more often than not, this data is in physical paper format, which can pose a number of compliance risks if handled incorrectly.
Here are the five top ways that this data can cause a violation of GDPR compliance:
Read the article to learn more about what causes your data to be vulnerable in the face of compliance and how digital document scanning can help to combat this.
Paper documents can easily be misfiled and subsequently, lost forever. This is because they’re manually handled and that exposes them to inevitable human error.
An example of this was a recent case in February 2019 in the media relating to the healthcare sector. The case regarded a major London Trust that had failed to provide the complete medical records relating to a deceased patient’s care as part of a complaint case. The highly respected Trust was accused of “inadequate record-keeping and maladministration”.
This case highlighted a problem faced by many Trusts, which are under immense pressure to manage an increasing amount of paper. With medical records libraries becoming full and racks too tightly packed to pick records efficiently, overspill records are being instead stored in unsuitable environments. As a result, staff do not have time to file correspondence, meaning that health and safety and patient confidentiality risks are exposed.
Due to this risk in compliance violations, the NHS has since launched its 10-year plan - with one key focus being digitisation. Trusts should develop a plan to start digitising their own medical records if they haven’t already, or risk the consequences.
There are still many organisations using historical file formats such as microfiche and microfilm. However, due to their age, these formats are at dangerous risk of deterioration and might be difficult to access, thus opening up potential compliance violations.
Some of the biggest drivers to digitise this type of media include:
Increasing speed of access to information
Allowing shared access
Diminishing the risk of deterioration - Film has a long life expectancy, but only if stored in the correct conditions. Through regular usage the condition of records could be affected
Understanding what customer information is being stored, under GDPR
You may also like this article > GDPR's Impact on Data Capture
Although paper filing levels are reducing in some industries (refer to our ‘How does your Industry measure up?’ infographic), large volumes can still be found in unlocked cabinets in unlocked filing rooms, and on office floors. This relaxed approach means the information being stored is accessible to all, which makes it difficult to track the movement of records within the organisation.
In October 2018, a Portuguese hospital was fined EUR 400,000 for two counts of violation of GDPR. The first fine of EUR 300,000 was due to non-compliant, irregular access to privacy data because too many people had access to what should have been private patient information.
More organisations are moving towards a shared services business model, which doesn’t support paper filing. As paper files can only be available to one employee at a time, it means they cannot be worked on simultaneously therefore creating longer and slower business processes.
The need for increased staff productivity can give way to a lack of document control and result in organisational data breaches. However, through the digitisation of information, records are instantly available to staff in multiple locations. Instant accessibility allows employees to make quicker, informed decisions in a secure way. If a document management platform is utilised, a full audit trail of activity is captured against each record. This lays the foundation to introduce simple business process automation freeing up employees’ time to focus on skilled work.
To apply the correct retention period to your business documents, you must first ensure that data is correctly catalogued. This also comprises any documents being stored off-site. These could be documents that have been scanned or original documents.
Regardless, all data must be compliant with the principles of GDPR and retention periods must be applied. It is also equally important that data that is no longer required is securely erased regardless of whether in paper or digital format. There has been an increase in a requirement for ‘lift the lid’ projects where boxes that have been stored in archives, in some cases for decades, are being retrieved for an inventory to be created of its contents allowing organisations to apply retention and take appropriate action.
Ensuring your data is GDPR compliant
If this article has demonstrated anything, it’s that organisations who do not take the necessary steps to protect data, risk facing the consequences of non-GDPR compliance. Organisations need to look for solutions that will help them to manage and store sensitive personal data effectively to mitigate the risks of huge regulatory fines.
If you’re unsure if your organisation is GDPR compliant, download our free short infographic that demonstrates the 12 key steps that organisations should be taking without delay.