Electronic document storage

[Ashley_Price]

So there has been a lot of stuff about GDPR with regards to sales, opt in lists, etc., but there seems to be less clarity on electronic document storage.

Can someone explain clearly, how it will affect a business like myself who transcribes recorded interviews, focus groups, seminars, etc., for clients.

However, we don't store the files long term. After a month, the client is sent a "Confirmation to delete" form, where, by signing it, they confirm they have received the transcripts (which are listed on the form) and are happy for us to delete them from our systems.

But, also, what about where people are mentioned within transcripts, e.g. family members, and so on? Do they have to be anonymised etc.?

 

[Simon Plummer]

Hi,

So first bit - I don't think you have too much of an issue here. You just need to determine who is the data controller, who is the processor and what the 'legal basis for processing' is.

Once this is ascertained, you then keep a record of that processing activity that lays all of this out. You then determine the retention period (looks like you have already stated a month) which is then also recorded. Create your privacy statement laying all this out for the data subjects and you are done, just treat the data in the way you have specified. Any changes to this process would need updating in your privacy statement too of course.

With regards to the last point, do you also transcribe that information? I would include it in your privacy statement under the section where you specify the data objects being processed.

Hope that helps!

 

[Ashley_Price]

The thing is, I already have a comprehensive confidentiality agreement (drawn up for my business by a firm of solicitors, not just a template off the internet), which seems to include most of this stuff anyway.

One part of our confidentiality agreement states that we shall:

1. return Confidential Information and all copies, and documents or materials which incorporate Confidential Information;
   
   
2. cleanse Confidential Information from any system into or on which it is stored or running; and
   
   
3. destroy all notes, analyses or memoranda containing or referring to Confidential Information.
   

 

[Simon Plummer]

If you are confident this has been drafted with GDPR in mind then the 'contractual' aspect will be fine. You still need to record the processing activities and create the appropriate privacy statements etc.

If the contracts are for the data subjects themselves, do the privacy sections provide the relevant information in clear and transaprent language.

Contractual obligations are just one area of GDPR, this sounds like you have it sewn up, but don't neglect other requirements.

 

[Ashley_Price]

I edited my post above to include the section about getting rid of confidential information. Admittedly, the agreement was done a couple of years ago, so before most of us had heard of GDPR. I guess I could get the solicitors to update it, with it in mind.

 

[Keith Budden]

I agree with Simon, Ashley, you seem to have covered pretty well all of the bases.

Just make sure you have a clear time period for destroying the data, and if I were you I would also start a destruction log (doesn't have to be anything fancy, even an Excel spreadsheet would do), where you detail each time you do a purge, how many records were destroyed etc.

If any of the documents are printed on paper, make sure you use a modern cross cut shredder and not one of the older 'spaghetti' shredders.