As the GDPR governs what data you have, where you have it and how you use it, you will need to audit and map your data processes—including document storage and destruction. There’s much to do to be compliant. Here’s a basic rundown for those less-versed in the GDPR that are also just good records management practices.

Designate a DPO. Article 38 and 39

The GDPR outlines the role of a Data Protection Officer. They can have other tasks and duties not related to data protection, so long as there is no conflict of interest. You may want to consider expanding the role of your information managers. The DPO is responsible for any activity in which Data Protection is a factor—maintaining of compliance, making sure auditing tasks are being done, and training.

Secure Your Customer Data. Article 32

Perhaps most importantly, according to GDPR, you must secure your customer data. Theft of digital data is a common crime. Data breaches are at an all-time high, and GDPR places the burden of security and reporting breaches on the company. So, it’s more important now than ever before to protect your business from data theft. This is another situation where an audit trail can help, too.

Index your files for easy accessibility.

Sort, label, and create a searchable inventory that you’ll be able to access easily and securely. You can use these six Dewey Decimal fundamentals to help you store and find your files. If you do not index your files, you will find it difficult to meet many of the requirements of the GDPR.

Chain of Custody to track your file’s whereabouts. Article 30

The chain of custody keeps tabs of every document over its entire lifecycle. In short, it’s a log that tracks every file’s whereabouts, along with indexed information.

Training and Educating. Article 39

Once you identify all sources of customer data, classify that data, and document how long they must be saved, and when it’s ok to destroy it—share this plan with your team and make sure everybody follows it stringently. Here are some other tips on how to create awareness.


3 areas where you may want to consider using external partners.

  • Decisions and advice need to come from legal experts and reflect your situation.
  • A security audit may help you find holes in your security you are not aware exist.
  • The right records management partner can assist you in executing your compliance plan by taking care of indexing, security, and ease of access for your records.