One of the great ironies of the modern world is that even though so much is done online these days, there is still a vast amount of paper used in the 21st century world, especially by businesses.
These mounds of paper can actually be very soft targets for data thieves since modern companies may be tempted to focus their attention on the security of their digital data, taking their eye off the ball, when it comes to the analogue world.
The forthcoming General Data Protection Regulation (GDPR) refers to data security in general rather than just online or digital data security and even without the severe penalties which can be levied once this comes into force (in May 2018), the reputational damage caused by failure to take proper care of sensitive papers could, quite literally, be enough to put a company out of business. As a result of all this, it is important to have a robust document-handling system in place. Here are four tips to help.
Start by identifying what sorts of documents should be classed as sensitive
Obviously any documents which contain customer data should be first on your list, but then have a think about any business-related documents, you really don’t want your competitors (or anyone else) to see. They need to be treated with appropriate care too.
Determine your legal and business requirements regarding storage time
Some documents need to be stored for a certain length of time to meet legal requirements; the obvious example of this is tax documents. You may prefer to store other documents for a certain length of time to satisfy business requirements. In both cases, it would be advisable to determine whether or not you actually need to keep the documents in paper format or whether digital copies are acceptable. You may choose to keep documents in paper format even if you could store them only in digital format, but it’s always good to know what your options are.
Identify which staff need to have access to these documents (and in what way)
The fewer people handling sensitive documents, the more secure they remain. Grant access to sensitive documents purely on the basis of need and purely to the extent required (e.g. read versus edit, online only versus online and paper). Make sure you do due diligence at the recruitment stage, if necessary, do credit and security checks on employees.
Create processes for secure storage/archiving or shredding
When documents are being stored (during active use) or archived (in case they are required in future), there should be a robust process for checking them in and out and it should be clear who has them at any given time. Without this, even the most secure storage is essentially rendered useless. Any documents no longer required should be shredded, preferably by an external service provider as shredding has to be done in the right way in order to be effective and a reputable shredding company will stay on top of both laws and best practices. Again, there needs to be a process for this and dedicated “confidential waste” bins provided, to stop people simply retrieving sensitive documents from general waste.