Part 5: Records Management & Security

Accountabilityis one of the 7 Principles under the GDPR (General Data Protection Regulation). To ensure businesses comply with their accountability obligations, the ICO has now created a framework that breaks down the key elements of accountability in data protection.

As part of an ongoing series of blogs, CVG Solutions will be guiding you through the ICOs 10 framework categories, taking a closer look at the importance of each aspect and how to adhere to them.




Records management and security are one of the most in-depth and important aspects of the ICO’s framework and a legal requirement of the GDPR. When the framework stipulations are applied correctly they enable sound data governance – which is essential for good data protection – and avoid any inefficiencies.

Having an effective records management system in place helps to support access to information, which in turn enables more effective use of resources, so you can easily find and access historical data.

Creating, locating and retrieving records
Firstly, records must be classified, be clearly titled and indexed for easy management, retrieval and disposal. It is up to an organisation to retrieve all missing or unreturned records.

A central information asset register should be maintained to keep tabs on all manual and electronic record-keeping systems and their whereabouts. Any off-site data transfers should therefore have a unique reference to allow easy tracking and retrieval, ensuring an appropriate level of security.

Appropriate security measures must be outlined in a transfer guide or written into policy, such as:
– Data encryption
– use of a secure courier
Agreements should also be in place with any third parties used to transfer any data.

Data quality
Organisations need to have effective procedures in place to ensure any records containing personal data are accurate, adequate and necessary, following the minimisation principle.

To achieve this, data quality assessments should occur periodically. These assessments can then be used to identify opportunities for pseudonymisation, anonymisation and minimisation.

To prevent a recurrence, all staff must be made aware of any data quality issues after quality checks or audits are carried out. Records should be ‘weeded’ regularly following the organisation retention policy and schedule.

Destruction of data

Paper documents should be cross-shredded or incinerated either in-house or via a third party. If using a third party, proof of destruction is required through audit checks or destruction certificates. Commercial Waste Connections Ltd offer reliable and secure paper shredding services to businesses across the UK –

Data held on electronic devices must be securely wiped or degaussed, or the hardware securely destroyed, and all equipment and confidential information that is sent for disposal must be logged.

Authorised (and unauthorised) access

Access to personal data should be on a need-to-know basis: strictly limited to authorised staff whose job role requires them to have access to the information. This must be executed following the principle of least privilege (read/write/delete/edit). Users’ access rights must be logged carefully and reviewed regularly. Formal user access provisioning procedures should also be in place to give access to permanent and temporary staff, with processes in place to remove or add access to leavers and new starters (access to leavers must be removed immediately after leaving the organisation).

Security is key

Appropriate passwords, malware and antivirus prevention tools, as well as internal and external firewalls, should be in place to protect the data from unauthorised access. Emails and attachments containing any personal data should also be encrypted and the use of social media and messaging apps must be prohibited or at least under strict control.

It’s also important to ensure any unsupported operating systems are NOT in use (such as Windows XP or Windows Server 2003), and intrusion detection systems are regularly updated.

Business continuity, disaster recovery and back-ups

Organisations should adopt risk-based business continuity and disaster recovery plans to manage disruption and ensure continuity of service and security. Back-ups should be stored off-site, with back-up and recovery processes tested regularly.

A lot to consider

As previously mentioned, records management and security is a dense subject matter and there are many stipulations to follow, so if you’d like some support in breaking them down and making them easily applicable to your organisation then CVG Solutions can help. Contact info is at the bottom of the page.

For any changes to data protection and transferring policies as a result of Brexit, or a full breakdown of what privacy information includes, get in touch with CVG Solutions and we can help guide you through everything you need to know and ensure you meet all the requirements laid out by the ICO.

Check back for monthly updates and information regarding the ICO Accountability Framework. In March, we’ll be taking a closer look at Policies & Procedures. You can also read our other blogs in the series on:

Leadership & Oversight (Part 1) 

Training & Awareness (Part 2)

Transparency (Part 3)

Contracts and Data Sharing (Part 4)


If you require any further help, guidance, information or clarification, you can contact CVG Solutions at, or call us on 01775 660-506. Additionally, you can fill out a digital self-assessment form on the ICO website, here .


CVG Membership

As a brand new addition to CVG Solutions, we launched a membership option last year. Sign up for announcements and updates as they happen, so you don’t miss out on future entries of our Guide to the ICO Accountability Framework blog series.  Just simply email us if you would like to be added to the mailing list at

Records Management and Security Checklist

Not entirely sure whether your organisation is complying with the regulations laid out by the ICO? No problem, just use this checklist to see where you might be going wrong:

  • Do staff know how to classify and structure records appropriately?
  • Is the asset register kept up to date?
  • Have there been any issues locating records?
  • Are staff aware of the policies and procedures and do they follow them?
  • Could staff demonstrate the process for conducting data quality reviews?
  • Do staff understand their responsibilities and do they know what to do if they identify issues?
  • Are staff aware of the retention schedule?
  • Do they adhere to it?
  • Could staff explain what their responsibilities are and how they carry them out effectively?
  • Is there a secured location for waste collected daily until collected for disposal internally or by a third party?
  • Is there a secure storage area for equipment awaiting disposal?
  • Is the register accurate – could you use it to find equipment around your office?
  • If we selected a sample of software, could you demonstrate that the details in the register are correct?
  • Are third-party access rights assigned appropriately given what is required in a contract?
  • Are access rights correct and up to date?
  • Would a sample of new starters, movers and leavers show adherence to the policies and procedures?
  • Would a sample of systems access at various job levels confirm that you apply access levels appropriately?
  • Are the passwords complex?
  • Could staff demonstrate that anti-virus and anti-malware has been implemented on key information systems?
  • Do you install vendor updates in a timely manner?
  • Could we access a black-listed site or an unsupported operating system on-site?
  • Can staff find the policies and procedures?
  • Would a sample of devices have appropriate encryption?
  • Could you demonstrate appropriate access arrangements for home or remote working?
  • Are staff working from home or remotely aware of the authorisation requirements?
  • Are printer/fax areas secure?
  • Do staff follow protocols and are they clearly communicated?
  • Would we see appropriate environmental controls in your secure areas?
  • Would a tour of your offices reveal an effective clear desk policy?
  • Are screens left unlocked?

About the Author

Cristina is recognized as a leader in the GDPR industry and has 25+ years of experience working for large international corporations. During this time Cristina has acquired an extensive knowledge and practical application of data protection, risk management and compliance.   Cristina uses all of her expertise in helping her clients of all sizes to improve their understanding of the GDPD, how it can strengthen their brand, and how it can support them to drive business growth.  Cristina is the creator of the ‘GDPR 3 Stages Maturity Lifecycle’ and of the ‘GDPR Toolkit’.  Click here to know more.