Is your biggest GDPR risk sitting in a filing cabinet?

The last time you went to the bank to open a new checking account, refinance your mortgage or apply for a student loan, you filled out a barrage of paperwork that documented everything from your social security number to your personal credit history.

Had you completed this process online — at least since the European Union’s General Data Protection Regulation (GDPR) mandate took effect in May — there’s a good chance you would have first clicked through a pop-up stating the bank’s updated privacy policy. The new EU law promises to give citizens autonomy over their private data, including “the right to be forgotten.” For companies doing business in Europe — regardless of where they are headquartered — the law demands comprehensive accounting of all customer data with heavy fines for non-compliance. 

Privacy and Sensitive Data

Since Facebook’s Cambridge Analytica scandal revealed the true fragility of our internet privacy, it’s understandable that we’ve come to view GDPR—and similar legislation recently passed in Australia and California—as protectors of a purely digital realm. After all, when you opened that checking account at the bank, the teller didn’t ask you to agree to the bank’s latest privacy policy or remind you of your right to control the data you shared. But, the GDPR law was drafted years before this dire era of internet privacy and it’s meant to preside over all data.

The data in those forms you left behind on the bank teller’s desk are yours to control—and theirs to keep track of.

Paper-intensive handling of sensitive data is common in a large variety of industries from automotive loan processing to healthcare records. Whether handwritten or e-filed, private information contained within documents scanned into large proprietary databases is every bit as much of a GDPR liability as the data we have shared over the internet in electronic payments, online forms and even browsing tendencies.

Billions of Decentralized Documents

Legacy institutions in law, insurance and pharmaceuticals have unfathomably large document databases. One major bank told me it has more than 100 billion documents scattered through disparate databases that while secure, are unorganized and largely unaccounted for. Even for companies with far smaller databases, data hidden within these documents — so-called “dark data” — is notoriously difficult to track and extract. With data privacy legislation knocking on the proverbial doors, organizations are turning to sophisticated new AI-powered machine-learning technologies to help wrangle their sensitive documents.

Despite the fact that many U.S-based organizations with European presences are adapting GDPR-mandated data privacy practices to customers worldwide (not just those in the EU), there are few signs that organizations are dedicated to handling their documents with particular caution.

Take Action

There has been a spike in proactive information security measures, like clean-desk policies and secure release technology on in-house printers. These are necessary initiatives, considering: an Information Commissioner’s Office report found that “loss or theft of paperwork” was the leading cause of security breaches in the legal sector, accounting for more than a quarter of incidents in 2015-2016.

But, it’s imperative that enterprises have the proper tools and resources to take reactive measures. So much of GDPR hinges upon a company’s ability to find, extract and even redact a customer’s information on-demand. How can you “forget” a customer ever existed if you can’t produce all of the information they shared with you?

Whether it’s GDPR, California’s Consumer Privacy Act of 2018 or future regulations that are poised to spread throughout the globe in coming years, complying with the latest data privacy legislation is a holistic endeavor. It’s a mélange of the digital and physical realms: the sum total of the most sophisticated online encryption programs and IT infrastructures, the latest in smart document capture and data discovery, plus the old-fashioned discipline to keep those papers in order. It’s an immense undertaking.

Whether or not it was the intention of the lawmakers, data privacy legislation is a big step toward repairing the trust between consumers and the enterprises that collect their data.

Trust is essential to any business endeavor. It pays to do it right.

Read more:

GDPR Compliance and the Value of Data

GDPR Solutions from Ephesoft

Webinar: Avoiding the GDPR Pitfall

Ephesoft’s Privacy Policy