How to choose a GDPR compliant records management supplier

Records Management Decision Automation

How to choose a GDPR compliant records management supplier
Picture of Mark Wilton-Steer

Written by: Mark Wilton-Steer
Publish Date: Nov 25, 2019
Read time: 8 minutes

For businesses handling personal sensitive records, they must be able to demonstrate compliance with GDPR when it comes to how they manage, store and retain this information. However, doing so will mean your business would need to ensure that it has the resources and means to be able to do this effectively. It can be an overwhelming task to constantly manage and will likely take staff away from more business critical work. These days, businesses are turning to outsourced records management suppliers - but how can you ensure that your supplier is GDPR compliant?

Read our article to learn how best to choose a records management supplier that is GDPR compliant - from their off-site storage facilities to their archiving processes.


Surprisingly, many businesses are still storing their sensitive and business critical documentation on-site, and in paper format. The question is whether adequate safety measures have been put into place to ensure the stored information is only accessed by the right people. A locked filing cabinet or a locked room can only take you so far in terms of security. Once accessed, records are untraceable and could be misplaced, lost or even damaged, not to mention information being copied and left lying around. Any one of these instances could mean a serious breach of GDPR.

Outsourcing to the right records management supplier will mean your records would be stored in a secure off-site facility. Not only that, but a good supplier will ensure they have staff who are fully vetted and follow clear cut processes and protocols - meaning your sensitive data will be safe.

Retention period

If you’re managing your own records management, it could take away many hours and resources that your business can’t afford to accommodate. A records management supplier should be able to work proactively with your business to make sure that all of your records are assigned with a compliant retention date - in line with GDPR and your company’s records management policy. This also means the supplier will understand what is to happen to records when they meet their retention date, whether:

  • Records are to be signed off for destruction, or
  • Given an extended date should the record need to be kept for a longer period

Improve your business' GDPR compliance: Speak to a RIM expert


All records management suppliers should have the main suite of accreditations, including:

Additionally, a supplier who is PCI-DSS approved means they can legally store and manage credit card data - particularly useful if your business holds this type of sensitive information.

Ensuring your supplier can meet these requirements only serves to provide more peace of mind for your business, ensuring you meet compliance and regulation standards.


If you’re going to use an outsourced records management supplier, it will mean your records will be living in an off-site storage facility. A good supplier should be able to provide logistics services that can pick up your records and take them off-site on your behalf. But you must ensure that you would be able to track your records’ journey.

Be certain your supplier can offer tracking functionality to give you visibility of your records at box or file level, once they leave your premises. Your supplier should be able to offer you the comfort of GPS tracked owned vehicles giving you full traceability of your records in transit.


While this point isn’t directly related to GDPR compliance, working with a records management supplier on a consultative basis is a definite bonus point. A good supplier can help your business set-up detailed retention policies that are focused around the sector you work in - so expert knowledge of the nuances in your sector is a must.

These retention policies can then be implemented and rolled out throughout the business, making sure that all staff understand the process. Retention rules can also be built into your archive request system, meaning that depending on the document type selected to be sent to off-site storage, the retention period will be automatically adjusted and this ensures no information is sent to off-site storage without a retention rule applied.

Ensure your records management is GDPR compliant

Certainly, changing your current records management processes can be a big job - but when it comes to GDPR compliance, it’s of vital importance. Choosing the right supplier also means you should understand the following:

  • About the supplier and their reputation
  • Whether they are financially stable
  • If they are well established as an archiving and off-site storage company
  • If they can show proof of delivery
  • If they can demonstrate a range of services to different industries
  • Ensuring their facilities are of a high standard in terms of maintenance and structure
  • If they use proven software and applications for records management and archiving
  • Whether the supplier has a client facing records management portal
  • If you are able to request a full range of archiving services (e.g. searches, online requests, cataloguing, new archival)
  • If the supplier can offer enhanced services that you could use in the future, such as scanning and digitisation services

When you outsource to a records management supplier, you need to understand without a doubt that they would be able to handle your records in a safe, secure and compliant manner. A supplier should be able to provide your business the reassurance that you will be fully GDPR compliant.

If you want to learn more about becoming GDPR compliant with your records, speak to our RIM expert to find out.

Speak to a RIM Expert

Related Articles