How to ensure GDPR compliant records management and storage
Mark Wilton-Steer | 07 Oct 2019

How to ensure GDPR compliant records management and storage

The General Data Protection Regulation (GDPR) contains explicit provisions about documenting your processing activities. The ICO (Information Commissioner's Office) states that you must maintain records on several things such as processing purposes, data sharing and retention.

These records can be kept in physical format, but it is highly recommended that you store these digitally. Not only will this mean you’re ensuring compliant records management but you may be required to make the records available upon request to the ICO in case of investigation or comply with a subject access request. If you’re unable to locate and provide the proper documentation, you could be subject to serious fines.

What do I need to keep a record of?

Record-keeping regulations apply to both controllers and processors employing 250 people or more. Keeping records to a high standard will increase the effectiveness of your overall GDPR compliance processes.

These are some of the things that you must keep a record of as a minimum:

  • Name and details of the organisation (and where applicable, of other controllers and the data protection officer)
  • Purpose(s) of the processing
  • Description of the categories of individuals
  • Description of the categories of personal data
  • Categories of recipients of personal data
  • Details of transfers to third countries or international organisations (including documentation of the transfer mechanism safeguards in place)
  • Retention schedules
  • Description of technical and organisational security measures

Therefore, documenting your processing activities is extremely important. Not only is it a legal requirement, but it can help you demonstrate your compliance with the GDPR, therefore improving the overall reputation of your company.

Conduct an audit of your records

Doing an information audit can help assess whether your organisation is following good data protection practice. Companies are required to have a system in place that enforces data keeping policies and they must regularly review this data at appropriate periods, in order to see if it is still necessary to keep the data, or if it needs to be destroyed.

Auditing your data plays a vital role in ensuring you are compliant, as it looks at whether you have fit-for-purpose policies and if you are following data protection legislation in accordance with the type of documents you are processing.

To conduct your audit effectively, you'll need to record details of each stage of the lifecycle of any personal data that you have: from its creation (or receipt from a third party) right through to the decision to destroy it or transfer it onward further down the line.

By using manual methods or technology, you'll find out the following things about information you hold:

  • Where it came from and how it got there
  • Why you have it and what purpose it serves
  • What your lawful reason is for obtaining and using this information
  • Where it is stored and how it is protected (and how well you do this)
  • Who it could possibly be shared with and how this could happen
  • How long it needs to be retained/kept for
  • When and how it will be destroyed if needed

You will benefit from an audit because it will allow you to identify what you are doing well and what you need to improve. 

However, you need to consider how you will manage information on a day-to-day basis - and this is where sourcing a records management and archiving supplier can help.

Outsource your records management 

It can be overwhelming to audit large volumes of information - especially if they’re in paper format and stored in the likes of filing cabinets and folders. Organising information manually can be a huge task and will require time, money and resource - which isn’t good for the overall productivity of your business.

Because of this, it may be an idea for you to consider outsourcing your records management and storage to an expert supplier that can help you to assess if and for how long you need to store your business documentation. Which in turn will save you office space, offsite storage costs and help to keep you compliant.

Here are some of the other benefits of storing your documents with an offsite records management provider;

  • Identifying and prioritising vital information: only storing frequently accessed documentation in your office and at hand, with those files only occasionally required stored securely and safely offsite.
  • Boosting efficiency: by removing less useful, inactive information, you can ensure that you only have relevant records to hand—increasing the speed of retrieval and therefore productivity.
  • Improved security: a trusted offsite storage supplier can offer very secure facilities to store your information, with intrusion and fire alarm systems in place.
  • Ensuring disaster recovery and business continuity: while large disasters are unlikely, small ones can affect day-to-day business and productivity which can be prevented if you outsource a supplier.
  • Complying with regulations: an external offsite storage provider can help you organise your records to comply with GDPR, including destroying data on your behalf in accordance with your retention policy.
  • Better utilising your employees’ time: when an employee's time is spent maintaining and managing physical records, it takes time away from more important tasks 
  • Reducing costs: you could be spending an unnecessary amount on storing documentation in-house. By storing your infrequently accessed documentation offsite, this space could be put to better, more valuable use. The average cost of storing a box offsite for a year is £3, the equivalent of space this takes up in the office environment could be more than 10x this.
  • Gaining back control: Properly labelled, indexed and stored records afford better end-to-end information management.

By managing records in-house, not only do you risk being non-compliant with GDPR regulations, you often spend an unnecessary amount of time and money on storing and maintaining this information - so it makes sense to leave it to the experts.

If you outsource to a supplier that can handle the management and storage of your records, you gain a safe place and ultimately an extension of your office for a fraction of the cost and reassurance that you are fully compliant with GDPR regulations.

If you want to learn more about how your organisation can become fully GDPR compliant with your records management and storage, speak to one of our RIM experts today.

Speak to a RIM Expert

About the author

Mark Wilton-Steer