What to look for in a provider of electronic storage for documents containing personal data?

When it comes to the electronic storage of documents containing personal data, it's important to choose a suitable provider that will meet all the security standards and GDPR requirements regarding personal data processing.

Kaj mora zagotavljati ponudnik e-hrambe dokumentov, ki vsebujejo osebne podatke?

What should we check to make sure that the storage provider ensures the integrity, credibility, availability, usability and durability of documents throughout their lifecycle? 

Skladnost, zanesljivost in varnost so na prvem mestu

Long-term electronic document storage should involve much more than just uploading documents to a server; for example, labelling documents with metadata that are not part of the document contents but contain information about the document, or converting the document into a format suitable for long-term preservation. An appropriate provider of long-term electronic document storage ensures that:

  • Documents are accessible to authorized persons only, when they need them,
  • Documents can be quickly retrieved and used,
  • Document content is authentic and integral, and any modifications are only possible in exceptional cases and fully traceable,
  • Documents are stored in the suitable long-term preservation format (e.g. PDF/A).

Though the major web storage providers appear to offer realistic or inexpensive solutions at first glance, they soon turn out to be insufficient in meeting all of the above requirements. Two of the reasons why using such services is cheaper than using a certified electronic storage provider are:

  • accessing the document can take up to several minutes, while we usually provide the document within seconds,
  • they are not certified under the Slovenian uniform technological requirements and do not ensure the long-term usability and readability of documents.
  • Are you willing to accept such risks just to save some money?

Compliance with the GDPR

Inadequate document storage and unauthorized access to and sharing of documents containing personal data pose significant business risks.

Documents containing personal data normally cannot be accessible to all company employees. When choosing the best provider of electronic storage services, we should therefore verify whether the provider enables multiple-level classification of user rights and creates audit trail of user activity. Thus we will be able to avoid the risk of unauthorized viewing of personal data.

  • When choosing the provider, did we consider their privacy policy?
  • Does the provider enable audit trails and how does it ensure reliability and security?

The GDPR allows for the transferring personal data to third countries or international organizations, while ensuring a high level of personal data protection. It is therefore important to know where our data are stored. Both the data controller and processor are bound to comply with the provisions of the GDPR.

Skladnost z zahtevami GDPR

Reliable references, years of experience, and expertise

To ensure the security and compliance of document storage, the provider shall maintain a high level of information security and regularly upgrade security mechanisms to deliver the required quality and security of electronic storage. The provider can demonstrate compliance by acting in accordance with the ISO/IEC 27001 and other standards and good practices regarding information security.

It is advisable to hire a provider whose services and equipment are certified with the Archives of the Republic of Slovenia. Thus we will avoid the risk that our chosen provider does not act in compliance with the regulations governing e-storage.

We also need to verify the provider's references and their experience in storage of electronic documents, which can be evident from the volume of documents in storage. For example, at Mikrocop, we electronically archived 44 million documents last year alone, and all together we've electronically archived nearly half a billion of electronic documents.

Special attention has to be paid to the professional attitude, experience and qualifications of the experts employed with the provider as these are the tickets to the integrity, security, confidentiality and availability of electronically stored data and documents. One way to check this is by paying the provider a visit.

Want to know more? Contact us!

Grega Vozel

Grega Vozel acts as the Personal Data Protection Officer (DPO) for Mikrocop and its business partners. In his work, he strives to ensure the highest ethical and legal standards. He does not accept compromises when it comes to the protection of personal data of customers and employees.