Going paperless at the office securely: scan, store and destroy
A paperless office sounds tidy, but the move only succeeds once the old paper originals also disappear safely. Digitising does not mean the paper may go in the bin or in with the recycling. The documents you scan often contain personal data. Those should be destroyed confidentially. This article shows how to work paperless securely: scan, index, store, then have the scanned originals demonstrably destroyed.
Before you put a box on the scanner, it is good to know where you stand. Can you answer yes to these?
- Do you know which documents you may throw away after scanning?
- Do you know which originals must instead stay on paper?
- Are your scanned originals destroyed confidentially?
- Is your digital storage well secured and searchable?
- Do you get a certificate for the paper that is destroyed?
If you hesitate on any of these, this article helps you make the move without risk.
Why a paperless office?
The benefits are practical. You win back cupboard space, find documents in seconds instead of in boxes and can reach your files from any workstation. A digital archive is also easier to secure than a cabinet of binders that everyone walks past. Yet paperless working is not a goal in itself. The real benefit only arises when the move is done carefully, with good scans and with safe handling of the paper you leave behind. Otherwise you trade a full archive for a messy folder and a pile of risk.
Paperless is not the same as throwing paper away
A common misconception is that paperless working is mostly about scanning. The scanning is half the job. The other half is what happens to the originals. Once a document is digitised, the paper is redundant, but the information on it stays sensitive. A scanned payslip, a client file or a patient card still contains personal data, even when the scan is already safe on the server. Destroying the original properly is therefore part of the move, not an afterthought but the closing step.
The method in brief
A safe move always follows the same line: scan, index, store and destroy. You first make a good scan, give it a recognisable name so you can find it again, store it securely and then destroy the original if you may. Those four steps form a chain. Skip one and a weak spot appears. A scan without a name is unfindable, an original left lying around is a leak. Below we work out each step.
Step 1: map your paper flow
Do not start at the scanner but with an inventory. Which types of documents do you have, how many are there and which contain personal data? Distinguish between current administration, old archive and documents you must keep anyway. That way you know in advance what needs scanning, what can be destroyed straight away and what stays on paper. This inventory prevents you from digitising everything blindly. A large part of an average archive is duplicate, expired or never needed again.
Step 2: scan with enough quality
A scan is only worth something if it is legible and complete. Scan at sufficient resolution, in colour where needed and check that nothing is missing or skewed. Work per file and keep the order. For anyone with a lot to digitise a document scanner with a feeder is faster than a flatbed. Save in a common format such as PDF, ideally searchable through text recognition. An illegible scan forces you to dig out the paper again later. That undermines the whole move.
Step 3: index and make it searchable
A digital archive is only useful once you quickly find the right document. Give files a fixed naming structure, for example date, client name and document type. Work with a logical folder structure or, better still, with a document system that searches on content. Text recognition makes the content of a scan searchable, so you no longer have to leaf through. The better you index, the less temptation there is to keep a paper copy just in case. Findability is what makes paperless working succeed.
Step 4: store digitally in a secure way
Digital storage asks for the same care as a locked archive cabinet. Keep sensitive scans in a secured location with access rights per employee, not on an open network drive or a loose USB stick. Make back-ups and encrypt where you can. The GDPR asks for appropriate technical measures, including for digitised documents. Paperless working moves the risk from the cabinet to the server, so the server must be in order too. A data breach from a poorly secured folder is as serious as a lost file.
What may go after scanning?
Most administration may go after a good scan. Think of copy invoices, correspondence, old quotes, internal notes and the bulk of personnel and client documents. The condition is that the scan is complete and legible and that you no longer have to keep the original on paper by law. For tax administration a digital copy is sufficient in most cases, provided it is kept legible and authentic. More on that period is in the 7-year tax retention obligation.
Which originals must stay on paper?
A small group of documents is better kept as the original. Notarial deeds, some contracts with a wet signature, certain shareholder documents and documents a law or contract explicitly requires on paper. If in doubt, keep the original and scan it in as well. These are exceptions, not the rule. By far the most documents may go after scanning. Which periods apply per category is in the GDPR retention periods cheatsheet.
First the retention period, then destruction
Scanning does not release you from the retention obligation. A document still within its period you keep, on paper or digitally. Only once the period has passed and the scan is safely stored may the original go. It is wise, while digitising, to record straight away until which date a document must be kept. That way you know later exactly when you can safely destroy. Anyone tackling it all at once combines this with a broader effort of clearing out old paperwork.
Destroying the scanned originals safely
This is where the move really comes together. The paper you have left after scanning is a pile of sensitive documents in one place. That pile is precisely what is attractive to anyone with bad intentions. So have this paper destroyed confidentially to a level that matches the sensitivity. For documents with personal data that is at least P-4, for ID numbers and special data P-5. That way the original disappears irreversibly while the scan stays safely stored. The difference between scan, keep or destroy is set out separately.
Not the bin or the recycling
The biggest mistake in going paperless is that the originals end up unseen in with the recycling. An open paper bin stands on the street for days and is accessible to anyone. A scanned client file lying on top of it is a data breach in the making. The same goes for the ordinary office bin. Personal data does not belong with residual waste, but in a closed, confidential flow. The GDPR expects you to protect data until it is destroyed beyond legibility, not until it lies in a bin.
The right DIN level
The DIN 66399 standard sets out how finely it must be shredded. When emptying an archive you choose the level for the most sensitive documents in the pile.
| Level | Particle size | Suitable for |
|---|---|---|
| P-2 | Strips | General print without data |
| P-4 | Small particles | Documents with personal data |
| P-5 | Very small particles | ID numbers, medical and special data |
An office shredder rarely reaches this level with large volumes. For a whole cabinet full of scanned originals, professional destruction is faster and more certain.
Sealed collection strengthens the chain
A safe move ends with a closed chain. The paper you have left goes along sealed and stays protected until it is shredded. So there is no moment where a scanned file ends up on the street or in an open bin. Within 20 km of Amsterdam we collect the documents from you, with no call-out fee. Across the country we work with pooled routes, so a fixed price is possible outside the region too. You know the price in advance, and no walk-in counter is needed.
The certificate as proof
After destruction you receive a certificate of destruction with the date, quantity and level. That document is your proof that the scanned originals were made illegible. Keep it with your record of processing, so that at an inspection or data breach you can show the paper disappeared properly. That way your paperless archive is not only digitally complete, but also demonstrably cleared out safely. What such a document states exactly is in the certificate of destruction explained.
Do not forget the old data carriers
A move to paperless working often brings old data carriers to the surface too. Expired backup tapes, written-off hard drives, USB sticks full of scans and old phones contain personal data just as much as the paper you clear out. Deleting a file or formatting a drive is not enough, because data often stays recoverable. So hand these data carriers over in the same collection. They are physically destroyed and the serial numbers go on the certificate, so the proof is traceable to the specific carrier. That way you cover the whole flow of personal data at once, on paper and digital.
Make one employee responsible
A paperless move stalls when nobody feels ownership of it. Appoint one person who guards the inventory, keeps the retention periods and arranges the collection. Record in a short guideline what counts as confidential, at what level you destroy and where the scans and certificates are kept. That way secure digitising becomes not a one-off action but a fixed part of your working method. That not only cuts risk, it also makes the next clear-out a good deal faster.
Checklist for going paperless safely
- Inventory which documents you have and what is in them.
- Scan legibly and completely, per file and searchable.
- Index with a fixed naming structure so you find everything.
- Store securely with access rights and back-ups.
- Check the retention period before you throw out an original.
- Destroy the originals to the right DIN level, not in with the recycling.
- Keep the certificate in your GDPR file.
Paperless in 5 steps
- Make an inventory of your paper flow.
- Scan and index what must be kept.
- Store the scans securely with back-ups.
- Have the originals collected and destroyed to the right level.
- Archive the certificate as proof.
Common mistakes
- Originals in with the recycling. Scanned documents with data should be destroyed confidentially.
- Scanning without indexing. An unfindable scan is in practice no scan.
- Destroying too early. First check whether the retention period has passed.
- Unsecured storage. An open network folder is a new leak.
What does destroying the paper cost?
You pay a fixed price per box or roll container, from about 30 euro for the first box. The certificate is included. Within 20 km of Amsterdam we charge no call-out fee, and through pooled routes a fixed price is possible nationwide too. A large one-off clear-out at the move to paperless working can thus be handled simply in one go. Anyone tackling that methodically often combines it with organising an archive clean-up day.
A real-world example
An accounting firm moves to a paperless archive. The client files are scanned per year, stored searchably and given a retention period. The paper originals whose period has passed go along sealed in a collection and are destroyed at P-5. The firm receives a certificate per collection and records it in the record of processing. A year later an inspection comes. Within a few minutes the firm shows that the files are digitally complete and that the originals were demonstrably destroyed. No loose piles, no risk.
Have your scanned originals destroyed?
Tell us what you have left after scanning and you get a fixed price. We collect it sealed, destroy it to the right DIN level and you receive a certificate as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.
Request a quoteFrequently asked questions
Can I throw paper away after scanning?
Many documents can go after a good scan, but not just in with the recycling. Originals with personal data should be destroyed confidentially. Some documents must instead be kept on paper.
Which originals must I keep on paper?
Notarial deeds, some signed contracts with a wet signature and documents a law or contract explicitly requires on paper. For most administration a good, legible scan is enough.
How do I destroy the scanned originals safely?
Have the paper collected sealed and destroyed to the right DIN level. You receive a certificate of destruction as proof for your GDPR file.
Why not just put it in the recycling?
An open paper bin stands on the street for days. Scanned originals with names, ID numbers or bank details can be taken by anyone, with identity fraud as the risk.
Does this also apply to old USB sticks and drives?
Yes. Clearing out often brings up old data carriers. You can hand those over in the same collection, with the serial numbers on the certificate.
Conclusion
A paperless office is only safe once the move is complete. Scan legibly, index so you find everything and store securely. Check the retention period per document and have the scanned originals destroyed confidentially instead of throwing them in with the recycling. With a certificate as proof, your archive is digitally complete and demonstrably cleared out. That way paperless working delivers space and overview without handing you a data breach in return.
See also: start with the basics in clearing out old paperwork, then go deeper with digitising your archive then destroying it, the archive clean-up step by step and scan, keep or destroy.
Going paperless without risk? Request a quote via desnipperaar.nl or read how the certificate of destruction forms your proof. We collect the scanned originals sealed.