Guide

GDPR and Paper Files: What Your UK Business Is Required to Do

Many businesses apply GDPR thinking to their digital systems and ignore their filing cabinets. That's a compliance gap. Our full document management GDPR compliance guide covers both. This article focuses specifically on the obligations around paper documents.

GDPR Applies to Paper

UK GDPR applies to "processing of personal data," which includes storage — regardless of whether that storage is digital or physical. A filing cabinet full of customer records is in scope. A box of employee files in a back office is in scope. A stack of CVs from last year's recruitment campaign is in scope.

This means the same obligations apply: you must have a lawful basis for keeping the data, retain it only as long as necessary, protect it from unauthorised access, and be able to respond to subject access requests.

What Your Paper Files Require Under GDPR

Retention limits

The storage limitation principle requires that personal data is kept "no longer than necessary for the purposes for which it is processed." For paper files, this means: you need to know what's in your filing cabinets, why you're keeping it, and how long each document type should be retained. Most businesses that haven't done a paper audit have documents in filing cabinets that should have been destroyed years ago.

Access controls

Paper files must be protected from unauthorised access. In practice: filing cabinets containing personal data should be locked when unattended. Files containing sensitive personal data (health records, financial data, HR records) should have restricted physical access — not left in open-plan areas accessible to everyone. Visitors should not be able to access areas where personal data files are stored.

The ICO has issued fines and enforcement notices for exactly this — personal data left accessible in unlocked filing cabinets in areas accessible to visitors or cleaning staff.

Subject access requests

An individual can ask for copies of all personal data you hold about them. You have 30 days to respond. For digital data, this is manageable — search by name, compile results. For paper data, it requires physically searching filing cabinets, archive boxes, and any other paper storage. If you hold 10 years of paper records across multiple locations, a subject access request can be extraordinarily time-consuming to respond to.

Secure disposal

When documents containing personal data are no longer needed, they must be securely destroyed. Putting them in a recycling bin is a data breach. Putting them in a general waste bin is a data breach. Requirements: cross-cut shredding (not strip-cut, which can be reassembled), confidential waste sacks collected by a certified disposal company, or on-site shredding service for large volumes.

The ICO and Paper GDPR Breaches

The ICO regularly acts on paper-based GDPR breaches. Common incidents:

  • Documents found in public bins or recycling — fines of £2,000–150,000
  • Personnel files left accessible after office closure or during building works
  • Patient records found in skips during NHS estate work
  • Customer records sent to wrong address (manual filing error)
  • Documents removed from secure premises by staff and lost

Paper breaches are often more serious than digital ones because they can't be reversed — you can't "revoke access" once a paper document is in the wrong hands.

How Digitisation Helps GDPR Compliance

Going digital doesn't automatically make you GDPR-compliant — but it makes compliance far more manageable:

  • Retention automation: Retention labels flag or delete documents automatically — no manual date-checking
  • Subject access requests: Search by name returns every document containing that person's data in seconds
  • Access controls: Granular digital permissions are more reliable than locked filing cabinets
  • Audit trail: Every access logged — evidence of compliance if challenged
  • Secure disposal: Digital deletion with audit log vs manual shredding management

Immediate Action List

  • ☐ Audit your paper files: what personal data do you hold on paper?
  • ☐ Identify documents past their retention period and arrange secure destruction
  • ☐ Ensure filing cabinets with personal data are locked when unattended
  • ☐ Establish a secure disposal process for documents no longer needed
  • ☐ Document your retention schedule in writing (required for GDPR accountability)
  • ☐ Test your ability to respond to a subject access request — how long would it take?

Make GDPR compliance manageable

A DMS with retention rules and audit trails handles the compliance burden automatically.

Compare DMS Systems →GDPR Compliance Guide →