The risks of storing physical documents in-house

In many cases, keeping a hold of physical documents is an essential business practice. Electronic copies often do not constitute sufficient proof in certain legal and financial contexts, and the vision of a ‘paperless office’ is simply not realistic for businesses that deal primarily in legal contracts, mortgage papers, and classified documentation.

However, all businesses should heed the main risks associated with keeping paper copies of important documents in their company offices. Compared to computerised methods of storage, it may seem outdated and unsafe. After all, it’s harder to encrypt and restrict access to a paper document than it is a digital file. And while there are safe ways of storing hard copy documents, you need to assess the risks associated with your own methods of storing such documents before any degree of safety is 100% guaranteed. Only then can you rest easy in the knowledge that your physical data is in safe hands. Let’s take a look at the main risks…

Damage

With workers making heavy use of electrical outlets and strained equipment that can overheat, office spaces are more vulnerable to fires than the average home. In the event of an office fire, there is a risk of losing your entire company archive as flames spread quickly through the paper. This risk is exacerbated by the fact that physical documents are usually kept in the same place, such as a set of filing cabinets or a storage room. Similar risks are also posed by moisture: workers can spill drinks, sprinklers can go off, pipes can leak, and moisture can build up in unventilated rooms. This kind of damage can be irreparable, whatever the source may be.

While you may be able to recover damaged electronic files from backups you have made, backups of physical documents cannot maintain the authenticity and validity of the original – photocopies and scanned copies of the original hard copy cannot be considered sufficient proof. In other words: if a paper document is damaged as a result of these common office hazards, there’s no going back. So what can you do to protect your physical documents from damage?

You could update your paper storage system to ensure that all your documents are protected, but fireproof and waterproof storage boxes are often too expensive and lacking in capacity. Office managers can (and should) take provisions to mitigate the risk of fire and water damage, but you should be aware that these risks can never be eliminated outright unless the documents are moved to a much safer location away from untrained employees and electrical equipment.

Security risks

Although there is a large emphasis on the benefits of digital storage for modern businesses, there is still a need for some companies to store their documents in physical form. However, paper documents can easily fall into the wrong hands in just the same way as digital files can, and businesses should still be taking measures to protect against physical security breaches. This process will involve placing internal restrictions on who can access certain documents, storing documents in a safe and secure location, and destroying documents in a secure way.

Businesses that maintain a relaxed or inadequate approach to the security of their documents are putting their sensitive documents at risk of being stolen or accessed by the wrong people. You may be wondering how exactly your paper documents are at risk when you are keeping them locked in office cabinets. In truth, even if your office is protected against external access, you still cannot guarantee that your documents are secure. Many security breaches are internal, carried out by people within a company who already has easy access to the physical system. Likewise, paper documents can be compromised after they have been destroyed and have made their way out of the office in rubbish bags – we talk more about the risks of insufficient document destruction below.

This shows that storing physical documents in your office does not fully guarantee their safety. Access to physical documents should be heavily restricted and tracked according to strict guidelines and procedures – employers may want to consider hiring a data security manager who can help implement these measures and safeguard your physical systems. Alternatively, since bringing on a new hire involves considerable expense, one way to protect your documents from internal security risks is to keep them in external storage. The best storage companies will keep your documents in a secure and protected system with highly restricted access.

Data loss

It’s no use keeping paper documents in storage if you don’t know how and where to find them. The onus is on businesses to ensure that paperwork is easily accessible to the right employees, that documents are recorded and tracked, and that all data is managed according to a defined (and preferably government approved) protocol. By neglecting these important responsibilities, you make it much easier for information to get permanently lost.

The effects of losing or misplacing your documents are similar to the effects of damaging them: in both cases, its almost impossible to retrieve the documents in its original and authentic form. If you misplace the original copy of a signed document, no matter how many copies you have, that document can no longer be used for its intended purpose. The only big difference is that simply losing your documents is most likely to result from poor in-house document management as opposed to circumstances beyond your control (e.g. electrical fires and water leaks).

That is to say, if you are not properly tracking and recording the location of your documents, they are more likely to get lost in the shuffle and never be seen again. While this is a major risk, we’ve established that it is often essential for businesses to keep physical copies of certain documents such as legal contracts, customer data, purchase receipts, and financial paperwork. Businesses have two options – devise and enforce an internal document management system, or outsource the job to a document management company who can scan, organise, and track your archive of physical documents on your behalf. Which of these routes is more convenient in financial and logistical terms largely depends on the business in question. But in either case, your sensitive data is less likely to go missing, your documents will be much easier to retrieve, and your employees will spend less time and effort digging around for papers.

Destruction

We already discussed the risk of your documents being destroyed through accidental reasons. But what about the risk of being unable to destroy your documents enough? Unlike digital files, paper documents cannot be permanently deleted in a single click. Ensuring that your unwanted documents cannot be accessed or stolen after they have seemingly been destroyed requires you to take certain security measures. Most businesses know that it’s unsafe to simply throw important paper documents in the bin, and the use of shredders is common practice.

However, a shredded document is not necessarily an unreadable and inaccessible document – some types of shredding are more secure than others. With more basic types of shredding (such as the type seen in simple office shredders) it is possible for the shredded document to be reassembled and compromised should the scraps fall into the hands of a malicious party. Sure, this might all sound a bit unlikely, but anyone who has been keeping an eye on the news lately will understand that its better to be safe than sorry when it comes to protecting company data.

Experts recommend the use of more advanced shredders when destroying paper documents, such as particle-cut shredders with the capacity to grind papers down to minuscule particles, eliminating the possibility of documents being reassembled after destruction. However, professional equipment of this kind can be expensive for ordinary small-to-medium businesses, and many outsource their document destruction with an external shredding company instead. The team at Flexible Storage use industrial pierce-and-tear shredders to securely destroy any paper documents that are no longer needed. Not only will this offer businesses peace of mind, but it will also help reduce the cost and effort required for secure document destruction.

.At Flexible Storage, our priority is to meet the long and short term needs of your company while keeping all your documents as safe and secure as possible. Get in touch to make an appointment and discuss your requirements with one of our friendly storage consultants.

Is your business ready for the new GDPR?

Last August, as most businesses will know, the British Government announced their plans to bring the General Data Protection Regulation (GDPR) into law via their new Data Protection Bill. The GDPR marks perhaps one of the biggest shifts in data protection laws in UK history, and all businesses (no matter their size) need to be prepared for its enforcement in May 2018. We’re a professional document storage and management company, so it’s our duty to know all about the GDPR so our clients know their data is in safe hands. In this post, we’ll be giving you the lowdown on how the GDPR works, the kind of changes it brings to the current Data Protection Act (DPA), and what your business can do to ensure total compliance with the changes. It’s still not too late to make necessary changes to your business and avoid getting a penalty!

What exactly is the GDPR?

The new General Data Protection Regulation has a similar function to the Data Protection Act that has been in legislation since 1998. They both aim to control the means by which information is handled by businesses and individuals alike, all while securing legal rights for those who have information stored about them. Since we help businesses manage and destroy large amounts of their confidential data, we are in essence helping them stay compliant with the current DPA and (as of May this year) the GDPR. Our practices are in line with UK legislation, thus reducing our client’s risk of both government penalties and business fraud.

But the new GDPR is not exactly the same as the DPA, and you will still of course need to pay attention to the major differences and alter your company’s practices accordingly. As the Information Commissioner’s Office states: “Many of the GDPR’s main concepts and principles are much the same as those in the current DPA, so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”

Who will the new data protection regulations affect?

As an EU directive, the GDPR affects all member countries within the European Union. This means that the requirements and recommendations within the regulation apply not only to all businesses within the UK, but also those businesses that hold EU data. Many companies seem to be taking the regulation less seriously because they believe that it won’t be relevant once Brexit overrules EU directives. However, the UK Government have claimed that the GDPR will apply regardless of our departure from the EU. As such, companies should still prepare to change the way they handle sensitive data, even if those responsible are confident that the UK will achieve a so-called hard Brexit. Being unprepared could have dire consequences for both your business and any clients or customers with whom your business deals.

As stated above, the ICO claims that there will be a number of “significant enhancements” to current data protection legislation brought about by the GDPR. What are these enhancements, and how will they apply to your business?

Consent

The GDPR makes it more difficult for companies to obtain the consent of individuals (e.g. via contracts and forms) due to a number of new restrictions. The ICO’s GDPR Consent Guidance document explains how the definitions of consent outlined in both the DPA and GDPR differ, while exploring how companies should go about asking for consent. Perhaps one of the main changes is to the use of pre-ticked boxes within online forms. These tools are used to automatically gain the ‘consent’ of customers (for mailing lists or promotional materials) without having them perform a certain action. With the new GDPR, these will be banned  as they bypass the need for customers to actively opt in to their services.

Likewise, businesses are required to keep a record of consent at all times. This involves the need to demonstrate exactly who consented to something, how and when they consented, exactly what they were told before consenting, as well as whether or not they have withdrawn consent after their initial consent was registered.

Individual rights

In addition to placing restrictions on the ways in which companies can gain people’s consent, the GDPR will also grant individuals more rights over their personal data. This will include the following notable rights which have previously been hot topics within the media:

  • The right to object and restrict processing (individuals can object to their data being held)
  • The right to be forgotten (individuals can request or demand to have their data removed)
  • The right to data portability (individuals have a choice over where their data can be sent)

Furthermore, individuals can complain to the ICO if they feel their information is being misused. These new individual rights will not only grant more freedom and power to individual consumers, but also ensure that businesses are keeping in check and not misusing personal data. As such, your business should take extra care when obtaining, using, and storing such data in order to avoid infringing on these strengthened individual rights.

Data protection officers

According to the ICO, certain organisations are required to designate a ‘data protection officer’ to oversee their handling of company or personal data and enforce the GDPR on the scene. These officers can be acquired internally or by hiring a third-party GDPR advisor. In summary, those organisations who now require a data protection officers are as follows:

  • Public authorities (not counting courts acting within their judicial capacity)
  • Organisations that carry out the regular and systematic monitoring of individuals
  • Organisations that carry out the large scale processing of special categories of data, (including health records and information about criminal convictions)

The ICO have claimed that these data protection officers have been enforced to ensure that such organisations take “proper responsibility of (their) data protection compliance and (have) the knowledge, support and authority to carry out their role effectively”. For those companies who come under this remit, you had better get on the job hunt before May!

Why should you comply?

Yes, becoming compliant with the new GDPR may seem like a lot of hard work, but it’s worth it – after all, this is a matter of the law. What is at stake if a business fails to comply with the GDPR? In short, you are risking huge fines. While businesses ignoring the DPA faced fines of up to £500,000 (after enhanced powers were granted to the ICO by parliament in April 2010), businesses ignoring the GDPA are looking at much larger fines. The potential punishment will now be a fine of either up to £17 million or 4% of a company’s annual turnover, depending on which is higher (and thus how large the organisation is).

As such, the fine you could receive depend on the nature of your noncompliance, but ideally you will never find out what the exact amount is! If you didn’t take the GDPR seriously before, hopefully you will now that you understand the risks associated with noncompliance.

Under the DPA, it was the responsibility of certain organisations to report major data breaches to the ICO within 72 hours of its occurrence. But with the GDPR, this responsibility extends to all organisations who experience data breaches of a certain type. According the the ICO, businesses should give notice of a breach when it’s “likely to result in a risk to the rights and freedoms of individuals”. This is fairly broad, but they specify that it applies to breaches that may result in significant financial losses, risk to confidential information, damage to reputations, and “any other significant economic or social disadvantage”.

Is your business compliant with the GDPR?

Perhaps the best way to answer this question is by reading through the ICO’s official document on preparing for the GDPR. Many businesses will already be compliant with the DPA and as such will not require major revisions to their company policies. However, with the above changes in mind, all businesses should look at how they deal with consent and individual rights before deeming themselves compliant (read through your existing privacy policy to be sure).

In sum, here are the main questions every business should be asking:

  • Is there anyone within your business who should be informed and educated on the GDPR and how should you go about making sure they stay compliant?
  • How does your business deal with data breaches? Is there a process set in place?
  • Does your business need to recruit a data protection officer? How will you go about doing this in an efficient and responsible way if it is necessary?
  • Is it clear to customers that they can withdraw their consent from your business at any time and that they have a right to file a complaint with the ICO if they need to?
  • Does your business use ‘default consent’ and, if so, what changes need to be made?
  • Who within your business is responsible for keeping track of the destruction of data, and for how long will this information be kept on your company records?
  • How does your business currently handle the storage and destruction of personal data?
  • Are there any immediate changes that you need to make to the way your business implements, enforces, and records these processes?
  • How will you track when, how, and why individuals grant your business their consent?

Do you need help with GDPR compliance?

The GDPR can be tricky territory to navigate for any business, especially for those who require many changes to internal company policy and major overhauls in their storage procedures. However, many of these processes can be outsourced to document management companies like Flexible Storage Solutions. We can help your business comply with the GDPR by:

  • storing your company documents within fireproof boxes and secure vaults protected by 24hr CCTV, ensuring that your confidential data does not fall into the wrong hands;
  • tracking your documents via a secure online document management system which grants you on-demand access to scanned copies of all your physical documents, and;
  • destroying any documents you have stored with us using safe and efficient industrial grade shredders while keeping a comprehensive record of all the data we destroy.

We are fully compliant with the GDPR and will be happy to take this load off your shoulders. When you outsource to a company that has knowledge and experience with data protection, you can focus on the growth and success of your business rather than matters of compliance. Interested? Get in touch with one of our professional storage consultants here to get a quote!

How to keep confidential documents safe

Almost every business has control over confidential documents of some kind. Whether these documents concern their own business affairs or those of others, the risks associated with them going missing cover a range of criminal offences and penalties (such as business fraud). Furthermore, those who hold data on behalf of their customers or clients will need to make sure that they are compliant with the impending EU-wide GDPR if they are to avoid further penalties.

With regulations on the horizon, it is more important than ever to safeguard your documents. But there is still time to sort out your safety and security. In what follows, we’ll be taking you through some of the best ways of keeping confidential documents safe throughout your company by implementing preventative measures and data protection initiatives.

Implementing company policies

Implementing company policies helps lay the foundations of data protection in your business. Safeguarding initiatives need to be written into the fabric of your company, each of them understood and followed by all of those within it. Company policies take many different forms, but some examples which are conducive to data protection may be a document retention policy, or a clean desk policy. The policies you choose are up to you, and could be more general.

Whichever you opt for, such policies should always be accessible and understandable. If not, employees may have a hard time taking the measures necessary to ensure a safe and secure information culture within your business. New employees should be made aware of your company policies and trained appropriately. Likewise, when you create or change a policy, employees that the policy applies to should be informed and educated. It is the responsibility of employers to be clear and transparent about all policies relating to data protection if they wish to see significant results and cultivate a fully safeguarded business.

Tracking confidential documents

Do you know exactly where all the confidential documents that exist within your company are being stored at any given time? Do you have a system or data log in place by which you can see where such documents are being stored? If not, you cannot know for certain whether or not all you confidential documents are in fact secure. That is, you cannot know that a document has gone missing if you don’t know where it is in the first place!

Any functioning data log should give access to those who require access (i.e. employees) allowing them to locate physical and digital copies of necessary documents without allowing those who should not have access to use the system. When outsourcing documents to a document storage facility or using a physical filing system, you should be keeping track of documents so that authorised parties can find and retrieve the necessary documents.

On the other hand, when storing documents digitally (e.g. on the cloud or a shared hard drive) you need to be keeping a record of both the hardware and software being used to hold those documents at any given time. While somewhat more difficult than locating confidential documents within a physical system, it is equally as important if you want to keep your confidentials within the company and avoid making yourself prone to criminal offences.

Controlling access to data

But how exactly do you make sure that only the right people can locate and access confidential data within your company? To ensure that your documents are in safe hands, you need to be keeping an eye on who can access them. Around 75% of data breaches are due to insider threats, so no matter how much trust you place in your employees it’s essential that you control their access to the most confidential documents such as sensitive communications, business strategies, and intellectual property. Employees should only have access to documents relevant to their duties and nothing more. It is your job to minimise the risk of data breaches, all risks considered, so think twice before you share potentially sensitive data with your employees.

Whenever someone changes their company role internally or leaves the company altogether, always remember to change (or remove) their access rights and passwords accordingly. Employees who have changed roles should be restricted access to documents the no longer need to see and employees who leave should be completely removed from your systems. Indeed, even in cases where you trust the employee and consider the loyal to your company, there is nothing to be gained from keeping their access. If in doubt, always err on the safe side!

Mitigating external threats

The safety of your confidential documents extends far beyond your physical workplace out into the big bad world. That is, access to sensitive information should not only be restricted within your company but also safeguarded from those outside your company. With modern companies, it is becoming increasingly common for employees to work from their personal devices or take their work devices home. Sometimes, workers may even take physical documents out of the office when working from home or going to meetings. This presents a risk to confidential documents as they are now open to the risks posed by forces external to your company.

When such information leaves the office, there is very little that an employer can do to control where it goes and who has access to it. At that point, it’s mainly the responsibility of the person who holds the document. However, employers can work to mitigate these risks by educating their workforce on the risks of taking confidential documents outside the office and training them on keeping those documents safe. It should be abundantly clear to all employees that it is not safe for anybody outside of the company (including close friends and family) to have access to sensitive company data. Alternatively, companies could keep company documents and devices within the confines of its offices, though this is somewhat less practical in the modern workplace.

Eliminating all risks

A large part of reducing the risk of a confidential data breach is making sure that documents only exists for as long as they need to. In other words, a confidential document that is no longer needed poses a risk when kept for longer than necessary. If a physical document provides no purpose or value to your business than it should be destroyed – or if it’s a digital document, securely deleted. Make sure that you’re aware of the regulations surrounding the disposal of old hard drives and that physical documents are destroyed to a point where they cannot be read.

By outsourcing your confidential documents to companies like Flexible Storage Solutions, you can not only guarantee that your data is in safe hands – stored in secure vaults with fireproof boxes and protected by 24hr CCTV – but also they it is being tracked through our document management system and safely destroyed when necessary using industrial grade shredders and pulverisers. This completely removes the risks associated with internal physical storage systems while making the management and destruction process more efficient.

.

Our priority is to meet the long and short term needs of your company while keeping all your documents as safe and secure as possible. Feel free to get in touch to make an appointment and discuss your requirements with one of our friendly storage consultants.