What shredder do I need to be GDPR compliant?

Q: How does the General Data Protection Regulation (GDPR) relate to shredders and shredding?

GDPR requires organisations to apply sound security practices to all electronic and paper-based personal data with respect to its collection, storage, access and disposal. Part of the requirement is to put plans in place for what should happen in the event of a breach. Whilst electronic data security has been prioritised by many organisations for many years, the security of paper based personal data is often neglected or overlooked. Statistics indicate that around 40% of data breaches may be paper based. A clear and firm document shredding policy is required supported by robust GDPR compliance process.

Q: Why shred?

All potentially sensitive information of both a personal and business nature should be disposed of securely to avoid the risk of corporate fraud, identity fraud, industrial espionage and even international espionage – for example, if you are a contractor or supplier to the government, MOD, NATO, etc. Despite a great deal of publicity and adverse headlines, even now, many organisations and individuals still throw out confidential documents without thinking of the potential consequences should the files end up in the wrong hands. Since the Data Protection Act was passed in 1998, companies are obliged to protect hard copies of information on individuals or organisations that could put that person or organisation at risk should the information become public knowledge. The General Data Protection Regulation (GDPR) of 2018 further increased the responsibility of businesses and organisations to protect the personal data of UK and EU citizens.

Source: HSM Shredders - https://eu.hsm.eu/en/know-how/shredding/protecting-data/gdpr-compliant-document-shredding/

Find the full range of HSM shredders on our website by clicking the logo below:

Despite the legal obligation created by GDPR, using a shredder with an inappropriate security level or not using a document shredder at all are still amongst the most common data protection shortcomings. Documents with personal data should not be simply discarded, but must be shredded in a GDPR-compliant paper shredder.

Which data should be destroyed according to GDPR?

It is generally considered best practice to shred all documents in hard copy form to be on the safe side, but critically GDPR states documents with personal data must be shredded. According to the GDPR it is personal data which, above all, must be destroyed.

What are personal data?

According to GDPR, it is essential to destroy data which refer to a person. These are, above all, data which can be assigned to a natural person or which refer to a natural person. They are all individual pieces of information about the personal or factual circumstances of a person. For example:

• Name
• Age
• Address
• Marital status
• Body height and weight
• Phone number
• E-mail address
• Licence plate
• Health data
• Value judgments such as certificates
• Account number
• Personnel number
• Racial and ethnic origin
• Political opinions
• Religious or ideological beliefs
• Trade Union membership

What is best practice for GDPR compliant document shredding?

If you use a document shredder which does not meet data protection requirements, you may have a data protection breach. This means that the data will not be destroyed in compliance with GDPR. It is therefore vital to use a shredder which is GDPR compliant.

Which document shredders are GDPR compliant?

If files and documents contain personal data, their destruction in accordance with data protection laws must be carried out without fail. The use of a GDPR-compliant document shredder is recommended for this purpose.

But when is a document shredder GDPR compliant?

The old international standard DIN 32757 for shredder security levels was superceded by DIN 66399 some years ago.

The storage media containing our confidential data and information are now many and varied. Along with paper, the classic data medium, digital data media now also plays a major role. The DIN 66399 standard takes this diversity into account, and defines what security means for all our modern media.

DIN 66399 supercedes DIN 32757 and describes the requirements for machines and processes for shredding data media. The standard was developed by the Standards Committee for Information Technology and Applications (NIA).

The more sensitive the data are, the higher the security level of the document shredder should be to ensure data protection. You can find our guide to Security Levels here . At The Shredder Warehouse we recommend a minimum security level of P-4 to comply with GDPR.

VIEW ALL OUR P-4 SHREDDERS

The amount of data to be destroyed and other criteria should also be considered when purchasing a suitable shredder and it should be borne in mind that although P-4 is the minimum level we recommend for GDPR compliance, a higher level of security may be needed for your own specific application.

Please feel free to call our expert team for guidance on this - 01225 690700

Previous article Next article

Recover password

Create my account

What Shredder Do I Need to be GDPR Compliant?

Which data should be destroyed according to GDPR?

What are personal data?

What is best practice for GDPR compliant document shredding?

Which document shredders are GDPR compliant?