The European Union’s comprehensive General Data Protection Regulation (GDPR), restricts the way companies can use, manage, and retain customer and employee data. Since so many documents today are stored online, many people assume the new law applies only to electronic files.

But that’s not true. The GDPR grants rights to customers, employees, or anyone else whose personal information you hold, and the rights apply just as much to paper documents as electronic ones.

Do GDPR data storage requirements apply to paper records? Yes. GDPR data storage requirements apply to all records, whether paper or digital.

The law also requires that you notify authorities and customers in the event of a data breach. When we hear the phrase “data breach,” we think of cybersecurity and online information. But a sensitive document left behind in the printer, on a desk, or in a coffee shop also constitutes a breach.

Penalties can be severe. In addition to giving companies a black eye, a data breach—or a breach of any of the GDPR records management rules—can result in a fine of up to 4 percent of annual revenue or 20 million Euros ($23 million), whichever is greater.

Here’s what you need to do to secure your paper documents and stay on the right side of the GDPR data storage requirements.

Be Aware of Employee and Customer Rights

Businesses are expected to always provide security for sensitive personal data. They also must be transparent about the information they collect and provide ways for people to opt out or delete their personal information. (Deletion requests do not apply to information companies are required by law to retain.)

Under the GDPR storage requirements, people have a right to know what information you have collected about them and what you’re doing with it. If someone files a request, you are required to provide a free electronic copy of personally identifiable information, whether it currently exists on paper or online.

People also have the “right to be forgotten,” meaning that they can request that a company erase personal data it has collected about them and stop processing it and disseminating it to third parties. In the event of such a request, the company is required to erase the data “without delay.”

Businesses can’t hold onto private data forever. Article 5 of the GDPR says that personal data should be kept “for no longer than is necessary for the purposes for which the personal data are processed.” It also says companies must do all they can to ensure that the data is accurate. If errors are pointed out, they must be corrected right away.

Retrieve Data Quickly

To provide copies of personal data quickly, correct errors, and erase it on demand “without delay,” you need to be able to find it without spending hours or days sorting through file cabinets or boxes. That means you need to establish an efficient document tracking system that will tell you exactly where a document is at all times. Some systems can also alert you if an important document is missing.

Manage Records Retention and Erasure

Erasing an online document is as easy as pressing the delete key. For paper, it’s more complicated. How do you know there aren’t other copies floating around?

To minimize compliance problems, you need to know where your personally identifiable data lives. If it’s customer information, it’s probably in sales and marketing. If it relates to employees, it’s probably in HR. Some private employee information may be shared with your insurance company.

Make sure that all departments dealing with personal data store their original documents securely. If you’re running short of space, consider using secure off-site storage.

Documents You Should Never Destroy

Tax Records

Business tax returns should be kept permanently. All supporting documentation for the tax returns should be kept for seven years.

Corporation and LLC Records

Keep the official business records of the organization permanently.

Property Documents

Documentation related to real estate, vehicles, and equipment

Contracts and Legal Documents

Keep all legal correspondence and any documents related to any legal claims or lawsuits. This includes patents and partnership agreements.

Train Employees

Make sure that everyone in your organization who handles personal information knows the rules for retention and deletion.

Include a discussion of physical documents in your company-wide security training. Remind employees not to leave documents in the printer and have a procedure in place for those who find unattended documents. Make sure workers understand the dire potential consequences of removing sensitive documents from the office.

Don’t Forget About Your Printer

Leaving documents behind is just the beginning of problems that can be caused by today’s multifunction printers. Because these machines can be connected to the internet, they can provide a gateway for cybercriminals to steal your information.

On the other hand, if they’re managed correctly, they can be a boon to security. They can be programmed to recognize words like “confidential” or “PII,” automatically encrypting those documents. They can hold documents in a secure queue, allowing only certain users to copy or scan them so that they won’t fall into the wrong hands.

Don’t just install your multifunction printer and assume the default settings will protect you. They won’t. Talk to your IT department about developing a security protocol that fits your organization’s needs.

Don’t ever forget that despite its frequent mentions of electronic documents, the GDPR data storage requirements apply every bit as much to paper. All it takes is a single W2 form left behind or an extra copy of an old customer survey to get your company in a heap of trouble. Take the time now to review GDPR record management rules and revamp your records and information management procedures to meet them—before it’s too late.

To learn about how GDPR storage requirements concepts are finding their way into U.S. data privacy regulations, read our blog, California’s New Data Privacy Law: What HR Teams Need to Know, and subscribe to the blog.