Most of the world’s business information is born digital. As long as 10 years ago, observers were commenting that more than 90% of corporate data was digital, not paper[i]. In the intervening period, that total has only grown, so the natural focus of preparing for the advent of the GDPR has been on digital data residing online. This is all true, but as the burgeoning warehouses of Iron Mountain and other record storage vendors attest to, there are still plenty of paper records out in the wild. Given this reality, our clients have asked us to advise them how do deal with paper records under the GDPR.
Even when it comes to digital data, the data exists in more than one place. Much of that data is frequently written to more than one place (‘journaling’ in IT parlance) and all of these instances of data are backed up – nightly, weekly, monthly and yearly. For those who are still backing up onto tape, many of those tapes find their way to storage vendors and our clients have also asked us how those tapes are treated under the GDPR.
To address these questions, Cameron Alexander, an Iron Mountain Professional Services Consultant and I wrote a research note on The Treatment of Paper and Backup Tapes Under the GDPR.
With respect to paper, we concluded:
“Paper records with personal data are covered under the GDPR for any organization that is processing personal data and has a filing system in place that structures personal data according to specific criteria relating to individuals whether centralized, decentralized or dispersed on a functional or geographic basis.”
Considering that most of the paper records stored with storage vendors do not have sufficient metadata or a filing plan capable of easily navigating to individual records, in most cases paper records stored offsite would not be subject to the GDPR.
With respect to backup tapes, we concluded:
“While not specifically mentioned in the regulatory text, backup tapes are likely within the purview of the GDPR. Past guidance and recent legislation specifically calls out backup tapes as a recognized storage format – with the GDPR most directly impacting the timeliness and defensibility of identifying personal data stored with those formats.”
There are a few caveats to bear in mind when considering our conclusions. The GDPR does not fully take effect until May, 2018. Once the effective date occurs, enforcement actions will begin, these will be litigated and case law will begin to develop to further our understanding of how the European courts interpret the GDPR’s statutory language. Second, the GDPR represents the baseline of privacy protections. EU nations are free to enact laws in their countries which go further than the GDPR; these laws may expand citizens’ rights as they relate to private information stored on paper and backup tapes.
The lion’s share of the effort required to comply with the GDPR is common to online data, backup data and paper-based data, just remember that as you are contemplating the potential repositories where PII is stored, you must consider offsite paper storage and backup tapes.