Old-fashioned record keeping risks security issues for organisations

Old-fashioned record keeping risks security issues for organisations


Document storage and management sounds incredibly dry and may not be high on an organisation’s agenda, however, it’s an often-overlooked area that could be high-risk when it comes to data protection and security.

Organisations store hundreds of thousands of documents, and in many cases, no single department is responsible for them. HR teams will store policies, personal information and contracts of employment. Finance teams will hold budget reports and customer contracts. Even the CEO will have a mass of sensitive documents they’ve stored away such as the business plan and growth forecast.

The arrival of General Data Protection Regulation (GDPR) advocates data minimisation but document management is one area that in many cases has fallen under the radar, and to a degree put on the back burner. Whilst in most cases data is kept securely, that is only part of the job. Data storage is, and should be, becoming a greater concern for organisations who are at risk if they’re not correctly managing the data they hold.

So, where does the risk come from? Overall security may be in place and under control but that doesn’t necessarily mean that documents don’t get lost or remain accessible as and when needed even though they shouldn’t be held. It is important that document storage is carefully managed and controlled so that retention schedules can be applied in order to avoid over retention.

Recently a German real estate company was fined 14.5m euros for over retaining personal data, even though there was no suggestion of the data being compromised or any financial gain for the company in question. No doubt there would have been a number of warnings along the way and a degree of inaction that led to the fine, but this shows that document management is certainly an area that shouldn’t be overlooked.

Over the years we’ve all seen documents that have fallen down the back of a filing cabinet or been saved in the wrong location on an organisation’s server and been forgotten about. We’ve all, at some point, been sent documents to review, made amends, and then saved a copy locally which potentially remains sitting in the system forever. It’s out of the loop in terms of data management and retention schedules since you can’t control what you don’t know you have.

Any data privacy incident would be made worse if it came to light that an organisation was over retaining data and should no longer have had it, or if there was a breach but the organisation can’t tell specifically what they have lost.

In a recent survey, we discovered many organisations are lacking a robust system for document storage and management, and this puts them at risk; 41% of organisations stated that they stored documents in folders on their computer, compared to 35% who held printed copies in the workplace.

When it came to document retention and security, just over 15% of organisations had no policy at all, 15% didn’t know if they had one or not and 23% had a system but they didn’t think it was accurate.

The issue with this is that it exposes organisations and forms a security risk. Document management and storage may not be the first concern for organisations looking at security but it could be one of the biggest risks facing them, especially if they don’t know what is being kept where, by who, and even more importantly, how relevant it is or whether it’s still required.

Without a clear view of our data, managing a retention schedule efficiently becomes far more difficult than it needs to be. Clearly defined data management systems provide huge benefits in terms of reducing risk but there are a number of incremental benefits that can also be realised such as:

  • Increased accessibility
  • Better collaboration
  • Greater efficiency
  • Reduced overheads

We recently ran a webinar in partnership with Document Logistix, discussing document management solutions to support organisations with a more secure way of keeping, storing, and removing documents in line with GDPR and other policies.

…oh, and don’t get me started on the availability of data for subject access requests!

Watch webinar on demand