GDPR and Paper Records – A Step by Step Guide

Donna Sanderson

Most organisations operate on a mix of digital records and paper records. It is therefore vital in order to be GDPR compliant that you manage those paper records correctly.

Records can be breached and stolen regardless of whether they are stored on paper or electronically. If a record (digital or paper) contains customer information or employee information, then it is protected under GDPR. After considering your company’s digital and paper records they almost certainly contain employee or customer information.

Are you able to find all the paper records of customers and employees?

GDPR gives users the right to request their personal data to be deleted.

So in order to delete the information you have relating your customer/employees, you first need to find all the information they are looking to have deleted.

  • If you are unable to find the information, how do you ensure you are GDPR compliant?
  • How long will it take you to retrieve documents kept in paper files?
  • Can you tell where the file containing the information is located?
  • Do you still have the file?


The following steps will help you address these questions.

Step 1

Identify the areas or departments in your organisation likely to have the paper records containing the information the customer or employee wishes to be removed.

Step 2

Prioritise records and documents to be scanned and have a secure offsite storage for the originals.

Step 3

Have a clear identification and filing system for documents that cannot be stored offsite.

Step 4

Ensure all documents and records are properly labeled with information that is not sensitive.

Secure the documents in box files and store them in lockable cabinets.

Step 5

Properly communicate with your staff so that they know their accountability and access right.


Can the documents be kept private?

GDPR requires that consumer data be kept private in terms of how it is disposed of, produced and managed.

Paper documents can be accessed easily by the wrong people leading to a data breach.

For example, an employee can forget sensitive paperwork at a coffee shop or lose a file to burglars.

This can lead to a threat to data security if the information ends up in the wrong hands.

Take the following steps to ensure documents are kept private always.

Step 1

Make it impossible or difficult for third parties to access the documents documents containing PII.

Step 2

Make sure you review and revise information regarding retention, destruction and storage processes with data privacy in mind.


Can you tell the number of copies of your documents?

Paper documents can easily be duplicated. If you don’t know the number of copies available for your documents, there is a high risk that your organisation’s data safety could be jeopardised. You need to take caution against copies left behind on printers and make sure you safeguard against unauthorised document removal from the office.

You can take the following steps:-

Step 1

Communicate to everyone in your organisation so that they know how to keep information safe.

Step 2

Let employees undertsand what IS confidential and private data and implement polies and procedures for the management of this information.