PacSol UK Blog

Blog • Employees breaching GDPR regulations • PacSol UK

Written by Toby Gilbertson | Jul 24, 2024 7:30:00 AM

It would appear that many employees, despite being aware of GDPR obligations (whether general awareness or specific training) and the risk posed to the employer (should the rules not be adhered to), are failing to comply with GDPR regulations by simply printing documents at home.

You can read the full article that piqued my interest back in the UK’s pandemic years here (p28) and it got me wanting to know more about the ‘why’. What compelled those surveyed to print the documents? It remains relevant today with a workforce that now works from home more regularly either permanently or as part of a hybrid arrangement. 

I never answered that original question because of course a more important question then rose and eclipsed all before:

Why have organisations simply not removed the ability for such documentation to be printed in the first place?

In this author’s humble opinion, I believe the simple answer is probably because those organisations are simply not managing the input, distribution, process, lifecycle and security of their documents – there is no real control over documents associated with their business processes. The type of control that a well implemented Document Management System (DMS or eDMS) would give any organisation over a document’s lifecycle.

What difference could it make? An example:

A document comes into your organisation containing regulated data (DOB / address / bank codes). This document needs to be reviewed by several people, potentially commented on and stored for a specific period of time – this is the type of document your organisation needs to protect from unauthorised access / view / distribution - the type of document subject to GDPR regulation.

The document arrives at your organisation, let us assume as a physical paper document.

Bad Scenario (High risk)
  1. The document is reviewed and an employee (who is in the office) determines a few people need to review the document. The employee uses the copier to scan the document to a PDF which is then stored on a network share.
  2. The employee attaches the document to an email (not just a shortcut to the drive) and sends it to four people. That employee then stamps the hard copy and sticks it in a filing cabinet.
  3. All four employees who are required to review, access their email via a web portal - essentially working ‘offline’ from the office network. All four of them receive the email attachment and download a copy to their devices - laptop / tablet / phone! Some of these devices (laptops) are owned by the company, however employees are permitted to use personal tablets and phones.
  4. At least two of the employees print the documents to review and annotate before replying to the group. One even takes a photo on their mobile device to evidence the annotations before emailing that image to the group.
  5. Once all actions are completed and steps decided (via email) between the group, one of the users responds by letter to the initial document sender, stores it on the network share and emails a copy of that letter to the other three as a record of the response.
  6. Multiple copies persist (unmanaged):
    • In multiple mailboxes until the employee either deletes the object, the organisation's email servers purge data over a certain age or the mailbox is deleted after they leave the organisation.
    • On the network file share until an employee comes across it and decides to remove it or it doesn’t get migrated to new storage by IT when it is deemed as not required
    • In the filing cabinet until it gets cleared out.
Good Scenario (Low risk)
    1. The document is reviewed and an employee (who is in the office) scans the document into the organisation’s DMS. As part of this process, the physical document location (filing cabinet) is recorded as an index to that digital record before the paper is stored. (Some organisations may choose to immediately destroy the physical copy once digitised - it will depend on the document type and policy)
    2. The document enters an automated business process that allows distribution to and tracking across employees. The process sends invitations to the four employees (via email) containing a specific link to the DMS to review the document.
    3. The four employees connect to the secure cloud interface (via web browser) to view the document image.
    4. The security controls assigned to the document allow the four employees to apply annotations (‘post-it’ notes, highlights, shapes) as an additional layer to the document image and submit their approval for any required actions via radio buttons and a comments section. The system prevents printing or downloading of this document.
    5. Once all approvals are made, the business process initiates a task to a group member (or delegate) for a response to the sender to be created. This letter is created via a template stored on the DMS platform (ensuring the latest company stationery is used), updated as required by the author and then ‘sent’ via the office print room (another automated process). An email is also generated with a link to the response in the DMS and sent to the four responsible employees..
    6. 7 years later… a task is assigned to the records manager by the DMS business process records management configuration. The employee reviews the document stored on the platform and authorises its destruction (via automated process). The physical record (if kept) is also authorised for destruction and quickly located due to the index value.

Why is DMS better?

In the bad scenario:

  • There are multiple physical and digital copies of the documents stored:
    • network shares
    • individual mailboxes
    • personal devices
    • office filing cabinets
    • home desks (printout)
  • The company is reliant on individual due diligence to:
    • protect the information
    • delete any digital copies (email storage and drive)
    • legally dispose of any physical copies
  • No standard, automated procedure exists to manage the record’s lifecycle for compliance. It relies on manual reporting, investigation and review to establish a document's status.

In the good scenario:

  • There are only two copies, 1 physical and 1 digital - the location of both is known. (Only 1 if the original does not need to be kept once digitised)
  • The digital copy:
    • is secured against unauthorised access
    • is secured against unauthorised copies (print or download)
    • is easily accessible to those employees with the correct security credentials from the source
    • is fully audited so all actions taken against the document can be traced
    • has changes (comments, annotations etc) stored as a layer to the original document ensuring the integrity of the master copy.
    • has indexes that allow related documents (such as the reply) to be searched for and viewed in context with the original document
  • The lifecycle of the document is managed, automated and (most importantly) fully audited.

With a Document Management System, documents are secure, accessible, controlled and managed with automation allowing efficient completion of related tasks - whether ensuring you meet customer response expectations or delete data to meet compliance.

Ultimately it is about the risk to your organisation through non-compliance. A document management system can dramatically reduce that risk as well as the time employees have to spend governing that risk. Perhaps PacSol can help you manage your risk.

Toby Gilbertson, Director. July 2024

(updated from the original article published February 2021)