Privacy regulations, often specify whether the regulations are applicable to paper based processing or not. It is essential for organizations to understand the scope of the regulation before starting the privacy program implementation as there might be cases of personal data processing in hard copies, which may be missed, if not interpreted properly. For example, Article 2 of Qatar’s Personal Data Privacy Protection Law clearly mentions the scope of the regulation w.r.t digital and non-digital processing of personal data.
Art. 2 Qatar PDPPL Provisions hereof shall apply to Personal Data when it is electronically processed, or obtained, gathered or extracted in preparation in any other way for electronic processing, or when processed via a combination of electronic and traditional processing.
According to this Article, any personal data which forms a part of combination of electronic and traditional processing will fall under the scope of the regulation. Thus, organizations need to take a holistic approach in terms of identification of personal data collection touchpoints and implementation of Data Privacy controls accordingly. For example, if a retail organization collects name, contact number, date of birth and email address in hard copy form for customer registration for loyalty points, then this processing activity will fall under the scope of the regulation. Similarly, if a bank collects personal data of potential customers via hardcopy forms for customer onboarding process, it will fall under the regulatory scope.
Now that we know personal data is collected in hardcopy forms, how do we implement the required controls to ensure compliance? Before we get to that, let’s see some of the key challenges which organizations might face while implementing a privacy program.
- Integration of paper-based process and digital process
- Collecting consent in paper-based form and maintaining consent in digital form
- Determining paper-based records retention and retention for digital form
- Addressing Data Subject Rights (DSRs) for paper based records
- Additional security controls to protect paper based personal data
- Providing privacy notice at the collection of personal data (on paper)
- Maintaining accuracy of data and avoiding human error while digitizing personal data
It’s a complex process to implement a privacy program in an organization which involves processing of personal data in hardcopy format. Having said that, it is not impossible, this can be achieved through establishing end-to-end data privacy controls, maintaining a stricter governance and creating awareness about privacy processes at all levels of the organization. Often, personal data in such format is collected at the billing counters, receptions, etc. where staff deployed do not undergo trainings related to Data Privacy which leads to a bigger gap in the privacy operations.
Organizations may consider the following steps to understand such processing of personal data and protecting it.
- Identifying Data Subject touchpoints and understanding if any personal data is collected in hard-copy format
- Checking the feasibility to digitize the process
- If digitization is not possible, considering alternative options to implement privacy controls such as notice, consent etc.
- Establish mechanisms for DSAR fulfilment and Data Retention
- Govern security controls implemented to protect the documents
- Incorporate personal data protection protocols in Document Management plans
- Include such processing in PII inventory and Record of Processing Activities (RoPA)
- Similar to PII labeling in Databases, PII labeling must be enabled for hardcopy documents
- If the hard-copy files are transferred outside the collection location, ensure that appropriate security controls are implemented
- Follow all the Data Privacy principles while collecting data in the hard-copy format
While the world is shifting towards digitization, there may be cases wherein hard-copy processing of personal data might still be needed for the organizations. In such situations, the Data Privacy Office must take into consideration this factor while creating the Data Privacy Strategy and program implementation. Implementing appropriate controls to protect such documents will not only help in regulatory compliance, but also improve the customer trust.