HomeKnowledge base › 6 signs your archive is a GDPR risk
AVG

6 signs your archive has become a GDPR risk

A stacked business archive of boxes and binders as a GDPR risk

An archive grows into a risk unnoticed. Not through one acute mistake, but through boxes that keep standing, files no one opens any more and data carriers lying around. Under the GDPR that is not innocent clutter but a collection of personal data you no longer control. These are six signs that your archive has become a GDPR risk, with the meaning of each and how to fix it.

The quick answer. An archive becomes a risk as soon as you lose the overview, apply no retention period and cannot demonstrate what has been destroyed. If you recognise any of the signs below, it is time to map it out, set up a policy and have expired files destroyed confidentially with a certificate.

Sign 1. You no longer know what is in your archive

If no one can say what is in the boxes and cabinets, you do not have an archive but a blind spot. Without an overview you cannot answer a request for access or erasure, you cannot assess at a data breach which data were affected, and you do not know what could long since have been destroyed. The GDPR expects precisely that you know which personal data you process and why. The fix starts with an inventory by category, linked to a record of processing. How to document archives and destruction in it without unnecessary bureaucracy is set out in the record of processing for archives and destruction.

Sign 2. Boxes and folders pile up with no end date

If your archive only grows and nothing ever leaves, every box lacks a retention period. The GDPR has a storage limitation. You keep personal data no longer than necessary for the purpose you collected it for. A file without an end date is a file you keep too long by definition. So assign a concrete retention period to each category and note the destruction date on the box. What you may and must keep per document type is set out clearly in the GDPR retention periods cheatsheet. That way a growing pile turns into an archive that clears itself out.

Sign 3. Anyone can just walk into the archive

If the archive cabinet stands open, confidential paper lies on desks and every employee or visitor can reach the files, confidentiality is not secured. The GDPR asks for appropriate security, and access restriction is its simplest form. Limit access to those who need it, lock archive rooms and work with a clean desk so no sensitive documents are left lying around. A sound approach ties a clean desk directly to sealed collection bins for destruction. How to set that down is explained in clean desk policy and destruction.

Sign 4. Old data carriers are lying around

A drawer full of old usb sticks, a stack of discarded hard drives, phased-out phones and backup tapes in a cupboard. Data carriers often contain the same personal data as the paper, but rarely get the same attention. They disappear into a drawer instead of into a policy. Wiping is moreover not the same as destroying. A simple delete or a quick format often leaves the data recoverable. So include data carriers in your clean-up as standard and have them physically destroyed. Why wiping falls short and when physical destruction is needed is set out in wiping versus destroying a hard drive.

Sign 5. No one is responsible for clearing out

If you cannot point to anyone responsible for clearing out, it does not happen. Without a destruction policy and without fixed clean-up moments the archive keeps growing until someone trips over it by chance. The GDPR asks not only for the right actions but also for the organisation around them. Set down what you destroy, at what level, how often and who steers it. Schedule fixed moments, for instance twice a year, when expired files are destroyed. A concise policy of half a page is often enough. How to write it, with an example, is set out in setting up a destruction policy for SMEs.

Sign 6. You cannot demonstrate what has been destroyed

If you destroy files but keep no record of it, you can prove nothing afterwards. The GDPR turns on accountability. Without proof you do not know what was destroyed when and at what level, and at an audit or dispute you stand empty-handed. A certificate of destruction with the date, quantity and DIN level closes that gap. It is your proof towards the supervisory authority that you acted carefully. Always ask for one and keep it with your record of processing. What exactly belongs on a certificate is set out in certificate of destruction explained.

From risk to control in 3 steps

  1. Map it out. Inventory by category what you keep and link it to your record of processing.
  2. Set up a policy. Assign retention periods, name a person responsible and schedule fixed clean-up moments.
  3. Have it destroyed confidentially. Collect expired files and data carriers in sealed bins and ask for a certificate as proof.

A structured clean-up starts with a good step-by-step plan. How to tackle a full paper archive systematically, from inventory to sealed pickup, is set out in the archive clean-up step-by-step plan.

Have your archive cleared out safely?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Frequently asked questions

When does an archive become a GDPR risk?

As soon as you no longer know what is in it, apply no retention period and cannot demonstrate what has been destroyed. An archive that keeps growing without overview and without clean-up increases the damage at every data breach, because everything you could have cleared out is then on the street.

How do I know which files may go?

Test each category against the statutory retention period. The administration falls under the seven-year tax retention obligation, other documents shorter or longer. What has reached its period and serves no further purpose may and must be destroyed.

Do old hard drives and usb sticks count too?

Yes. Data carriers often contain the same personal data as the paper. Wiping is moreover not the same as destroying. Include hard drives, usb sticks, phones and backup tapes in your policy as standard and have them physically destroyed.

What is the proof that I destroyed data carefully?

A certificate of destruction with the date, quantity and DIN level. Without a certificate you cannot demonstrate what was destroyed when and at what level. The GDPR asks for that accountability. Keep the certificate with your record of processing.

Conclusion

The six signs share a common denominator. They arise where an archive slips out of management, because no one still knows what is in it, how long it may stay or who clears it out. Map your archive, set up a policy with retention periods and have expired files and data carriers destroyed confidentially with a certificate as proof. That way your archive is no longer a dormant risk but a controlled part of your GDPR policy.

Read also: 7 mistakes when destroying business documents, setting up a destruction policy for SMEs, the archive clean-up step-by-step plan and the GDPR retention periods cheatsheet.


Have your archive collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.