Is the NEW WAY OF WORKING putting businesses at more risk of data brea

Q: How does the General Data Protection Regulation (GDPR) relate to shredders and shredding?

GDPR requires organisations to apply sound security practices to all electronic and paper-based personal data with respect to its collection, storage, access and disposal. Part of the requirement is to put plans in place for what should happen in the event of a breach. Whilst electronic data security has been prioritised by many organisations for many years, the security of paper based personal data is often neglected or overlooked. Statistics indicate that around 40% of data breaches may be paper based. A clear and firm document shredding policy is required supported by robust GDPR compliance process.

Q: Why shred?

All potentially sensitive information of both a personal and business nature should be disposed of securely to avoid the risk of corporate fraud, identity fraud, industrial espionage and even international espionage – for example, if you are a contractor or supplier to the government, MOD, NATO, etc. Despite a great deal of publicity and adverse headlines, even now, many organisations and individuals still throw out confidential documents without thinking of the potential consequences should the files end up in the wrong hands. Since the Data Protection Act was passed in 1998, companies are obliged to protect hard copies of information on individuals or organisations that could put that person or organisation at risk should the information become public knowledge. The General Data Protection Regulation (GDPR) of 2018 further increased the responsibility of businesses and organisations to protect the personal data of UK and EU citizens.

Keep it Confidential Survey 2022 . A report on SHREDDING in a hybrid working world brought to you with the kind support of Fellowes.

Find the full range of Fellowes shredders on our website by clicking the logo below:

Early in the pandemic, everyone’s focus was on ensuring their services were able to continue rather than considering the risks associated with the necessary changes. Employees also didn’t have time to adjust to the new way of working and several studies have highlighted the bad habits around data security that have been picked up while working from home during the pandemic.

Fast forwarding to 2022 the way we work has evolved quickly, with more of us than ever embracing hybrid working as part of the post-pandemic return to the office. But have companies acted and have processes been adjusted, or is the new way of working putting companies at more risk of data breaches?

Fellowes found that the answer to that question is - Yes. Half of their participants in the study believe that hybrid working may have increased the amount of sensitive information being lost or in breach of GDPR rules. Paper documents were not necessarily the first thing companies would worry about when thinking of their security policies, but the swift transition to hybrid working has meant thousands more documents travelling between home and work every week. This raises important questions about confidential paperwork and how we’re protecting it, in a world where a lot of employees no longer work in just the corporate office.

To build on Fellowes’ 40 years of shredder expertise, they wanted to uncover how people are securing and shredding documents in this expanded hybrid working world, as well as how organisations are complying with GDPR (General Data Protection Regulation), 4 years after its implementation. Fellowes' research, in partnership with B2B International, covered 605 shredder users across France, Germany and the UK, working in financial services, the public sector and healthcare.

In this report, we will take a deep dive into trends and behaviours around data security in this ever- evolving work environment and we hope we can guide businesses through this phase of change. Because securely destroying sensitive paperwork, wherever you work, is vital to containing the security risks that every organisation faces.

GDPR and data protection in a hybrid working world

Fellowes' research has shown that 8 out of 10 respondents have adopted remote working, either full or partially. Hybrid working – a combination of on-site and remote working – may have brought more flexibility and variety in choice of workplace, but it also presents the on-going challenge of ensuring people understand confidential working and applying of good data protection principles, in all locations.

Whether your staff are working in the office, at home, in shared working spaces or anywhere else, you need to manage their security risks. This starts with making sure you look at some of the areas that might cause new risk to your organisation. For example, you should have strict policies around staff using their own computers, tablets and smartphones for work purposes as you will have less corporate control over how those devices are configured and used. Another area of concern is the use of public and home Wi-Fi, as well as weak and reused passwords. Both areas are a common point of intrusion for cyber-attacks and clear instructions have to be shared with employees to make sure they and the business are protected.

In no surprise to us, paper documents pose one of the most underrated risks to companies. With so much being digital in today's work environment people often forget to include the element of paper data in their security policy. However, it is important to highlight that the majority of businesses (68%) that have taken part in the Fellowes study have indicated that they handle a large amount of sensitive printed information on a daily basis. 70% of all respondents have either taken printed work documents home, printed work documents at home or both and just shy of half of this group has then put these documents in a wastepaper or recycling bin without shredding them. Furthermore, 46% of all respondents have seen people leave confidential work-related documents unattended. This should be of big concern to businesses. Even if there seems to be strict policies on shredding sensitive information across European companies, these guidelines are often not followed outside of the office. Whether it’s in a corporate office or home workspace, sensitive paper data must be locked away when not in use, and securely shredded once it is no longer needed for the purpose it was acquired.

The Fellowes study also has revealed, that even after 4 years – only 60% overall are familiar with GDPR and just 1 in 4 businesses have adapted their policies to include home working or remote working in general. Regulators such as the Information Commissioner’s Office (ICO) made allowances for the pressure the pandemic put businesses under. However, with most
restrictions being lifted across Europe, the ICO will be less lenient, so it is essential to act now if you are making hybrid working permanent. You need to make sure that polices are reviewed and updated so that it reflects the new way of working and covers potential data breach risks.

Once these policies are updated it is important to have a strong implementation and communication plan in place. The research highlighted a clear disconnect within organisations. Whereas the majority (83%) of respondents in more senior job roles seemed to be aware of GDPR and would actively follow the companies’ data protection rules and regulations, only 57% of respondents in more junior roles where familiar with GDPR and therefore would not be following the guidelines, no matter the working location.

What can businesses do to help their staff be compliant with privacy and data policies?

Update of policies

Think about your Bring your own device (BYOD) policy - if employees use their own devices when working from home.
Highlight public and home Wifi as a threat and what staff needs to do to use them safely.
Review and adapt your policies around printing, storing and disposal of paper documents and add a section around storage and disposal of documents in the home office.
Review your password security policies. The National Cyber Security Centre (NCSC) currently recommends using three-word passphrases rather than passwords. Additionally, you should consider multifactor authentication.
Your policy should state that before disposing of, selling or donating an old computer or hard drive, all data has to be fully erased from the hard disk.

Training

Don’t assume everyone understands GDPR. Educate all employees on GDPR requirements, personal data handling and the six principles of data protection. Training should be given to all new starters and as part of regular data security refresher sessions.
Provide a checklist for your employees of areas that could pose a risk for a data breach - you could also let them do a Data Security Health check.
Make sure your training covers sensitive paper documents and how to handle these. Which documents and records need to be stored for fixed amounts of time and which ones should be destroyed straight after they are no longer needed.
Add a training module around data security in the home office that highlights the new additions to your policies.
Consider an online training portal so you can track the status of everyone’s training and set a fixed deadline.

Equipment

To avoid issues with BYOD we would advise for the company invest in laptops rather than desktops - this way the equipment can easily be taken in between the home and the corporate office.
Invest in superior anti-virus and firewall systems.
Make sure that your staff have access to a shredder in the corporate office. Additionally, employees working from home should be equipped with a small or home office shredder.
For highly confidential or personal data like addresses, invoices and balance sheets opting for a micro-cut (P-5) shredder as the smaller particle size provides superior security making data impossible to read or recover.
Ensure a productive and safe workspace for your employees by taking into account jam prevention and safety features when looking for a shredder.

Communication

Communication is key across all levels of the business. Avoid knowledge gaps in more junior level positions.
Data security should be covered in the next site meeting as well as in smaller groups during the monthly team meetings and 1-1 catch ups.
Put reminder posters up across the business - but also include the update to the policies in your newsletter and post it on your intranet.
Sharing of best practices and any phishing or cyber-attack threats with the business so everyone can watch out for them.
Make Data Security part of quarterly business reviews.

What can employees do to avoid data breaches?

Understand what data is sensitive and needs to be protected.

Any documents that contain personal data and business records should be safely shredded in line with legal requirements on the retention of data.
Make sure you are aware that every country has its own required period for the storage of contracts, business agreements and similar documents. Once these retention requirements are fulfilled, document destruction is the best way to free up storage space and protect confidentiality.
Receipts, deposit slips and bank statements can usually be shredded once they have been reconciled with accounts.
HR records should be regularly checked, and once they have reached their legal expiry date, they must be destroyed. GDPR requires HR departments to demonstrate why they are keeping data on employees past and present and justify why they are keeping any data beyond the required retention period.

Safe storage or disposal of paper data

Shred as you go along, if that is not possible, shred all sensitive paperwork before recycling or disposing of it, ideally without needing to take the risk of transporting it from home to office, or vice versa.
Never leave sensitive paper data lying around unattended at home or in the office. Always clear your desk at night and lock away protectively marked papers and all removable computer media before you leave your workstation.
Regularly review the data you hold and where possible anonymise personal data as soon as it is no longer needed.

Using a shredder to safely destroy confidential paperwork should be part of our daily routine, wherever we work.

Previous article Next article

Recover password

Create my account

Is the NEW WAY OF WORKING putting businesses at more risk of data breaches?

GDPR and data protection in a hybrid working world

What can businesses do to help their staff be compliant with privacy and data policies?

What can employees do to avoid data breaches?