Another day, another personal information data breach.

Many companies started looking at their own system’s weaknesses after learning about the recent Uber data breach. No one wants to be the next data breach headline. This kind of news can make people long for the days when records retention was simpler and paper-based documents meant data protection wasn’t always part of the daily routine. Some may even wonder whether the benefits of personal data protection outweigh the administrative burden of returning to hard-copy records. [1]But did you know that low-tech data can be just as easy, if not easier, to breach?

How do data protection laws apply to hard-copy records?

Cyber-security is on the front-lines of the personal data battle, but it’s just part of the equation. Careless retention of hard-copy records that contain personal information can also result in a data breach. Careless retention can affect both small and large organizations and those with domestic or international connections. Many companies moved from hard-copy records to digital records. Digital records are a more efficient and “greener” system. However, overlooking hard-copy documents can leave companies open to personal data attacks and heavy sanctions.

While some data protection laws define “personal information” in detail, most are purposely vague. For example, Serbia’s Law on Personal Data Protection defines personal information as “any information relating to a natural person, regardless of the form of its presentation or the medium used (paper, tape, film, electronic media etc.).[2] The EU’s General Data Protection Regulation (GDPR) has its own definition of “personal data.” In fact, it makes no reference to the medium of the personal data.[3] However, the GDPR’s definition of a “personal data breach” covers the low-tech, minor data breaches and doesn’t even mention the medium of the data. The GDPR states that a personal data breach is, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”[4] The lack of clarity in the law can be costly for businesses. They could face high sanctions for what seems like a trivial loss of hard-copy records.

What are some differences for hard-copy data protection requirements?

Most data protection laws have broad requirements for both electronic and hard-copy personal information. However, some laws are more specific about the difference between physical documents and digital information.

Many data protection laws carry records-handling requirements that explain how to store, destroy, or protect hard-copy records that contain personal information. For example, the Netherlands AFM Compliance Regulations specifies that businesses must store physical data in a fireproof safe and digital data must be “safeguarded by technical access security systems.”[5]

Different laws carry different requirements. Zasio can teach you how to protect your data based on the laws that affect your business. We can also clarify other records retention requirements for you. Call us today.


[1] Draft PCI/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, 5.3.3.

[2] Serbia Law on Personal Data Protection, RS Official Gazette Nos. 97/2008 and 104/2009, Article 3 (1).

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 4 (1).

[4] Id. at Article 4 (12).

[5]  Dutch Authority for the Financial Markets Compliance Regulations, Regulations about handling inside information, Appendix 4 (Data Security).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.



Author: Whitney Nelson, Research Assistant at Zasio Enterprises, Inc.