What Is The GDPR And Why Does It Matter?

Many industries require organisations to store documentation for set time periods. For example, tax and some HR documents must be maintained for a minimum of six years. On the other hand, environmental records have to be kept for 10 years, while some medical records must be held for a minimum of 40 years.

Since 2018, there has also been the General Data Protection Regulation (GDPR) to consider. All documents containing sensitive personal data must be stored in a highly secure area, and organised in a way that gives people fast access to their personal data on request.

The GDPR is an EU Directive ratified in 2016 and incorporated into UK law in May 2018 as the Data Protection Act (DPA) 2018 (alongside other updates to the previous 1998 DPA). The regulations build on and strengthen existing data protection legislation, creating a common code of conduct across the EU, and responding to changes in data
gathering and retention practices brought about by the Internet. Although the UK is no longer an EU member, GDPR-compliance is still legally binding and will remain obligatory for any organisation handling data or documents on UK or EU residents, wherever they are based.


GDPR Key Terms - A Quick Reference

The GDPR includes several key terms, which are briefly explained below:

  • Data subject: An identifiable, living person, resident in the EU or the UK, on whom personal data is held by a business, organisation or service provider.

  • Data controller: A business or organisation that gathers, stores or handles personal data about data subjects. The data controller may be the service provider themselves, or a third party acting on behalf of another business – e.g. our document storage clients.

  • Data owner: The legal owner of the data – i.e. the organisation providing a service to the individual concerned. If a business uses a third party to process their data, that third party acts as the data controller, while the business remains the legal data owner.

  • Data processor: An individual, organisation or business that processes data (see below), such as a cloud storage company.

  • Processing: Any action carried out on personal data, including information gathering, copying, scanning, legitimate use, data destruction etc.

  • Personal data: Any information from which an individual can be directly or indirectly identified. Examples include a person’s name, age, gender, ethnicity, email, place of birth, home address, telephone number, photos, videos and visual descriptions, fingerprints, retina scans, social media posts, medical records, IP address, association and political party membership, education and work history, descriptions of appearance, family history and so on.

  • Consent: The explicit and free agreement of a person for an organisation to use personal data for a specific purpose – e.g. I give you my email address so you can let me know about upcoming gigs in your venue.

Enhanced Provisions

The GDPR has introduced ‘enhanced’ data protection provisions for certain types of data, strengthening safeguards for data subjects and placing new obligations for security and transparency on data controllers.


  • Sensitive personal data: The legal definition of personal data in the GDPR has been expanded from the definitions in the DPA 1998, to include IP addresses and other Internet-based identifiers, alongside demographic information, genetic and biometric data (e.g. fingerprints for security clearance, retina scans, genetic medical information etc.)

  • Data processing and the right to privacy: The GDPR includes the fundamental principle of privacy by design, meaning that the data subject’s privacy and dignity take precedent over all other considerations. Care must be taken that data processing is completely transparent, fair and covered by written consent agreements.

  • Data protection impact assessments: Potential risks to a person’s personal data should be identified and mitigated through a data protection impact assessment.

  • Positive consent: Under the GDPR, data subjects must give their positive consent for personal data to be used, for instance by actively filling in a form or selecting a tick box. It is no longer legal to use a person’s data simply because they haven’t said you can’t do so (passive consent), nor is it acceptable to gather data through pre-ticked checkboxes or prefilled forms. Consent can be withdrawn at any time; data subjects can request the removal or deletion of some or all of the data held and can request access to their data records through a subject access request, which must be responded to promptly.

Penalties Fon Non-Compliance

As the data owner, it is your responsibility to ensure that the personal data you hold is processed and stored securely, whether in electronic or paper form. Accidental damage, unauthorised access, theft or loss, or the failure to respond to an access or data deletion request, could attract stiff financial penalties for non-compliance.

Fine of up to 2% annual global revenue:

  • Not keeping records holding personal data in order
  • Failing to notify the ICO and data subject about a suspected data breach
  • If a data breach arises from failing to carry out the appropriate impact assessments

Fine of up to 4% annual revenue:

  • Serious violations of data security resulting from misconduct or negligence
  • Gathering personal data without consent from the data subject
  • Using personal data for purposes other than those specified in the consent agreement
  • Serious infringements of the right to privacy of a data subject

Please note that your legal responsibility as data owner applies whether you process the data yourself, or do so through a third party. This is why it is critical you choose a GDPR compliant document storage partner – such as CAS – to handle sensitive documentation on your behalf.


Subject Access Requests (SARs)

A person can request access to documents containing their personal data at any time by submitting a Subject Access Request by phone, email or writing. You have one month from the date of the SAR to provide the individual with the data requested. The individual may also request that their personal data is erased from your records, which in practice may mean destroying hardcopy and electronic documents.

Managing SARs and deletion requests can be time-consuming and complicated unless you have the right storage and retrieval infrastructure in place. At CAS, we provide an efficient, RFID document management system that allows us to respond promptly to subject access requests, by providing paper documents or an electronic copy through
scan on demand. Our secure shredding and data sanitisation facilities ensure that personal data for deletion is completely destroyed, with no risk of unauthorised retrieval.


GDPR Compliance Checklist

The following questions will give you a quick overview of how well your current document storage solutions comply with data protection laws. Please contact us, or your storage provider, if you are unsure.

  • Is the data being used for the purpose for which consent was obtained? You can only use data for the original stated purpose. If you need to use a document for another reason, a new consent agreement must be obtained from the data subject.

  • Do the documents contain data that is not strictly relevant to the required purpose, e.g. irrelevant or excessive data? The GDPR obliges you to minimise the data you hold on your data subjects.

  • Are your documents being stored beyond their legal retention period, or after the agreed purpose is fulfilled? All personal data should be deleted and documents destroyed when they are no longer needed.

  • Is the personal data in your documents accurate and up-to-date?

  • Are your electronic and paper documents retained in a secure storage system, with safeguards against loss, damage, theft and unauthorised access?

  • Is your storage system confidential, with authorised access being granted only to the appropriate individuals?

How CAS Can Help

At CAS, we offer a document storage and handling service that is fully compliant with the Data Protection Acts (1998, 2018) and the requirements of the GDPR. We are registered with the Information Commissioner’s Office (ICO registration number Z1281061) and assist hundreds of UK businesses in managing their stored and digital documents in a responsible and compliant way.

CAS acts as both data controller and data processor for GDPR-compliance purposes, with you, the customer, being the legal data owner. Our document scanning and scan-on-demand services fully comply with the GDPR, with digitised files uploaded to secure, password-protected client databases on our CAS-Cloud servers.

Each archived document is retained in accordance not only with Data Protection and GDPR requirements, but also in compliance with regulations for your industry, and company best practices.

We also offer a secure document shredding and IT disposal service, in which personal data is completely destroyed – with a chain of accountability guaranteeing confidentiality and GDPR-compliance.

More Information

To find out more about our services and how the GDPR affects data and document storage in your industry, please call 0845 5050 003, or email info@cas.ltd.