Chain of Custody – what is it and how to avoid data security penalties?

Chain of custody is a chronological paper trail that records every stage of a document’s lifecycle. In this guide, we’ll explain how it works, why it’s important and how to make sure your suppliers have the accreditation you need to avoid data security penalties.

A paper-lite workplace is desirable for almost every business. Especially given the amount of Personal Identifiable Information (PII) that can be found on hard copies.

But how can you digitise business processes that have previously relied on paper? Where do you start?

The challenge can feel insurmountable. For many, there is another factor influencing the decision as to whether digital document management will be right for their organisation: fear.

Not only fear of change but fear of letting another company access their clients’ personal data.

Before GDPR, when secure documentation was passed to a third party supplier, that supplier owned the data and took full responsibility for the security of the information.

For some companies and organisations, this was a benefit. It was no longer their responsibility. They didn’t have to keep records up to date or store documents in costly on-site storage facilities.

But following GDPR, the supplier and the customer are now jointly responsible.

Which makes choosing the right supplier more important than ever.

How can you choose the right supplier?

Document management, scanning and archiving can be a complicated market. Some suppliers offer the whole package, some offer parts of it. Others say they offer everything but, in reality, use third parties.

When I talk to customers I’m often amazed to hear that they have stored documents with suppliers but have no idea what documents are there. When I ask if they know what the retention dates are, I am often met with a blank stare.

Do you know who is managing your records, where they’re stored and who had access to them? Can you generate a report that chronicles each document’s history?

Being compliant is knowing when you need to do something

Part of being compliant is knowing when you need to destroy files. Without a proper auditing/review process it’s going to be almost impossible to keep track.

GDPR has made it clear that you need to be able to provide a Chain of Custody for each document. This record has to detail every person who touched/had access to the document, the dates and what they did with it.

Chain of Custody – what is it?

A record of:

  • Name of the person handling the document
  • How many times it has been handled
  • When the document was requested
  • Description of the document

From this information you will easily know:

  • Where your records are stored
  • How to retrieve them quickly
  • Who requested the files

When choosing a supplier, you need them to guarantee these points and prove that they have the proper accreditation.

The Chain of Custody also applies to the collection of users’ data and the consent gathered how that data is used. With the newly-introduced shared responsibility, this also means other providers and suppliers in the data chain have to be compliant with GDPR.

Many companies are looking for digital solutions to increase efficiencies, reduce the amount of paper and be more secure. The Chain of Custody will provide a clear audit trail for the process of converting an original paper document to a digital record.

If done correctly, with companies that are fully certified, courts will accept the scanned document, meaning you can destroy the original and reduce the storage space needed.

What certifications/compliance standards to look for?

What’s important is to do your due diligence on the supplier/s you’re considering working with.

There are four main accreditations that you should look for (more information on each can be found in the appendix at the bottom of the article):

  • ISO 9001 Quality Management
  • ISO 14001
  • ISO / IEC Information management security
  • BS 10008 Legal Admissibility of Electronic Information

You should also ask for information on your supplier’s suppliers.

They may offer digital scanning but outsource this to a third party. You’ll need to know their accreditation as well. In my experience, this is not often the case and is why it is important to be vigilant.

How a leading news network reduced HR document retrieval times from 24 hours to seconds

I recently worked with a local news network to transform their HR operations. They were looking to reduce costs and improve efficiency by centralising core business support, admin and back-office functions.

Historically, hardcopy records were held at local offices across England and Wales. Processes, such as managing staff recruitment or departure were becoming complex, costly and lengthy.

HR information was recorded and filed inconsistently. There was no standard format for recording and cataloguing employee data. As a result, local managers struggled to access information quickly.

By scanning and digitising thousands of HR records and creating a cloud-based, easy-to-access system, everyone who needs to access records can do so. All the information is secure and there is a documented Chain of Custody at all times.

If you’re interested in learning more about how scanning and archiving can streamline processes and help you control costs, download our free ebook.



ISO9001 – Quality Management

This standard sets out the requirements for a quality management system, which helps businesses and organisations to be more efficient and improves customer satisfaction.

Organisations and businesses must define the objectives themselves and continually improve their processes in order to reach them.

ISO14001 – Environmental Management System

The international standard that specifies the requirements for an effective environmental management system. It provides practical tools to manage environmental responsibilities and evidence that a systematic approach is in place.

ISO/IEC27001 – Information Management Security

This certification shows that the supplier you are looking to work with has a systematic approach to information security and managing risk.

It sets out the requirements for an information security management system (ISMS), which is a series of policies and procedures to ensure sensitive information remains secure.

BS10008 – Legal Admissibility of Electronic Information

This is a British standard that outlines best practice for the implementation and operation of electronic information management systems.

This includes migrating paper records to digital files and storing and transferring electronic information between systems.

It also offers guidance on how to manage access to information or records that may be required as legal evidence.

Sarah Sanders

Business Development Manager - Business Process Services - Ricoh UK