How much personal GDPR information is being held on your microfilms?
The GDPR Conference Europe was held recently in London and it was surprising to get the feeling that a lot of businesses have not prepared for or are even aware of GDPR.
GDPR (General Data Protection Regulation) has been around for a while, having been introduced by the EU in May 2016, but it is not going to be enforced until May 25th 2018. That is only 1 year away and the potential fines for non-compliance and breaches are going to be significantly more than the current Data Protection Act 1998 – 4% of global turnover or 20 million Euro’s, whichever is greater! And don’t think Brexit will get UK companies off the hook as GDPR will be fully adopted into UK law before Brexit. In addition, non-EU organisations will be affected by GDPR if they or their subsidiaries are doing business with individuals located in EU member nation territories.
GDPR replaces the Data Protection Act 1998 (DPA) and Subject Access Requests (SAR) fees (£10.00 that can currently be charged by the recipient organisation) will be abolished. In addition, under GDPR SARs will have to be responded to within 30 days, (down from 40 days). Every SAR will need to be investigated and therefore the recipient organisation of the request may incur significant costs and effort in order to find the requesting person’s information. Imagine how the number of SAR’s will increase when they are free? Then you have to ask what new GDPR ‘right’ is the requesting person exercising by asking for their data. Is it: –
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (AKA the right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What if that information is on microfilm and the individual wants a digital copy of that information – do you scan just that one piece of information on-demand or do you batch scan your whole microfilm collection so that you are ready to respond within 30 days? In addition, the format an organisation has to hand the information back in has to be in a structured, commonly used and machine-readable form. Open formats include csv files. Machine readable means that the information is structured so that software can extract specific elements of the data. Even after scanning will the quality of microfilm scans be good enough to OCR, will all the data have to be manually inputted instead?
Imagine you are a large multinational organisation and all of your microfilms, microfiche and aperture cards are stored in archive boxes in a warehouse. The boxes must be retrieved from the warehouse, the pertinent films/fiche/cards extracted and digitised to enable them to be ‘ported’ to the individual or the organisation of their choice. We all know how expensive it is to continually request boxes/folders/files and microfilms from a deep storage location.
Unfortunately, the old concept of security by obscurity now no longer applies. You can’t say that the files are stored on microfilm in a deep archive so GDPR doesn’t apply to you. You will need to have a plan in place to scan and deliver the information on your microfilm back to the requester – in 30 days.
The right to erasure is also potentially a significant challenge if all your customer or employee information is on microfilm or fiche. Clearly there are perfectly legitimate reasons for most organisations to hold personal information. Nevertheless, in a post GDPR world if you were to hold a document about a requesting person on a sheet of microfiche and they wanted to be erased from your systems then this could cause an issue. Particularly if there is information about other people on the same piece of fiche. The only practical way to erase the information about one person from the fiche would be by scanning all the images, destroying the original film and then deleting the specific images for that person from your digital system.
In simple terms, therefore, the storage of personal information on microfilm and microfiche could prove to be the largest challenge for many organisations when GDPR comes into force next year. The best way to prepare for this and to avoid potential fines after 25th May 2018 is to scan in all your microfilm material so that it can be searched and accessed quickly and on a person by person basis.
Here at Genus we offer a service to scan your microfilms for you, with full indexing as required – either at our purpose-built ISO 27001 approved scanning facility or on your premises, if your microfilms are too sensitive to leave your custody. While we carry out your bulk scanning project we can also duplicate all of your microfilms and microfiche so that you retain all of the microfilm masters to scan on demand for on-going GDPR requests. We can also provide all of the tools you require to adhere to GDPR in-house. We have a full range of both on-demand microfilm and fiche scanners and high speed full production scanners. We can sell these to you or rent them for a small period of time – all backed by our nationwide team of engineers to support them and provide training.
We have partnered with a range of digitisation consultants who can come along and advise on the best microfilm scanning solution for you. We have even partnered with a lawyer who specialises in the legal implications of GDPR.
So please be aware of GDPR and its implications and please note that Genus is now part of The GDPR Compliance Services Consortium which was established to provide ‘solutions’ to those organisations preparing for the challenges of GDPR. Whether this be Legal compliance, scanning of legacy data (Microfilm, fiche or paper) Cloud based content management solutions, Data interrogation (e-mails, Legacy data sets), or an Interim DPO. Please visit The GDPR Compliance Services Consortium website for your ‘one-stop shop’ for compliance services.