All potentially sensitive information of both a personal and business nature should be disposed of securely to avoid the risk of corporate fraud, identity fraud, industrial espionage and even international espionage – for example, if you are a contractor or supplier to the government, MOD, NATO, etc. Despite a great deal of publicity and adverse headlines, even now, many organisations and individuals still throw out confidential documents without thinking of the potential consequences should the files end up in the wrong hands. Since the Data Protection Act was passed in 1998, companies are obliged to protect hard copies of information on individuals or organisations that could put that person or organisation at risk should the information become public knowledge. The General Data Protection Regulation (GDPR) of 2018 further increased the responsibility of businesses and organisations to protect the personal data of UK and EU citizens.
How does the General Data Protection Regulation (GDPR) relate to shredders and shredding?
A new data privacy law came into effect in May 2018. It’s called the EU General Data Protection Regulation (GDPR) and is a complete overhaul of the legal requirements which must be met by anyone involved in handling personal data of UK and EU citizens. The aim of the regulation is to give citizens greater control over what can be done with their personal data by businesses. This will be enforced by large fines – up to £17.5 million or 4% of a company’s global turnover – for non-compliance.
The regulation must be observed by any organisation employing over 250 people. This implies that many small businesses will be exempt. But that’s not true. A business of any size must comply if it’s involved in regular ‘processing’ of certain categories of personal data, which includes collecting and storing as well as using personal data.
The remit extends to paper based as well as electronic data with around 40% of non-compliance estimated to come from paper based practises*. All businesses should support a paper security policy – including shredding facilities.
Full compliance will be important because the powers of the directive extend beyond the borders of Europe and apply to any business which handles EU citizen data, whether or not the business is based in the EU.
Paper data breaches. How they happen and how to avoid them. The facts.
GDPR requires organisations to apply sound security practices to all electronic and paper-based personal data with respect to its collection, storage, access and disposal. Part of the requirement is to put plans in place for what should happen in the event of a breach. Whilst electronic data security has been prioritised by many organisations for many years, the security of paper based personal data is often neglected or overlooked. Statistics indicate that around 40% of data breaches may be paper based.
In recent research, one quarter of employees admit to not shredding confidential information whilst two thirds of respondents said that managing the risks associated with paper records was a top concern for them**. Indeed, only 27% of companies surveyed reported policies for the safe security, storage and disposal of confidential personal information**.
This puts organisations at risk of non-compliance and data subjects at risk of fraud and identity theft.
Paperwork still accounts for many common security breaches. According to the UK’s data protection regulator, the Information Commissioner’s Office (ICO) 40% of the 598 data security incidents recorded between July and September 2016 were attributable to paper breaches. These included loss or theft of paperwork (14%), paperwork posted or faxed to the wrong recipient (19%), data left in an insecure location (4%) and 3% due to insecure disposal of paper.
Introducing clear rules about the use of paper documents containing information about an identifiable person and their personal data – defining what is ‘personal’ - and then the process for correct shredding of documents – based on the sensitivity of the data contained – is the first step towards compliance.
A clear and firm document shredding policy is required supported by robust GDPR compliance process.
* Source: Beyond good intentions: The need to move from intention to action to manage information risk in the mid- market, PwC report in conjunction with Iron Mountain, June 2014. ** 2014 PwC report in conjunction with records management company Iron Mountain, surveying European mid-market companies on their perception and management of information risk
Examples of business documents that should be shredded include:
• Human Resources - Salary details, personal data, restructuring plans, pension records, banking details.
• Sales and Marketing - Sales forecasts, customer data, competitor information, new product development.
• Production - New tooling, drawings, costing, work schedules.
• Reception - Visitor information, staff movements.
• Photocopier/Printer/Fax - surplus or incorrectly reproduced sensitive documents should be shredded to reduce the security risk.
Personal documents that should be shredded include:
• Financial - Bank statements, phone bills, and utility bills.
• Personal – Letters & envelopes, any correspondence that may contain personal/address information.
It is also a good idea to ensure that old CDs which may contain sensitive information and credit cards are shredded too.
Use this handy guide to help you make the right choice of shredder for your specific needs. Asking yourself these questions will help to ensure that the machine you purchase best suits your requirements. Make sure you take into consideration all the aspects shown. Alternatively of course, you can call one of our advisers at standard rates on 0844 800 9928 for assistance.
How would you best describe your daily usage?
Light - Medium Duty: Up to 150 sheets per day, a Small Office machine should be adequate for your needs.
Medium Duty: Up to 400 sheets per day, a Departmental shredder would be best suited to your needs.
Heavy Duty: 400 sheets or more per day, a Heavy Duty machine is strongly recommended for this level.
How sensitive or confidential is your waste?
There are two types of cut available from our range of shredders: strip cut or cross cut (also known as confetti cut). The more confidential your waste the smaller the pieces/particles it should be shred in to. If security is important to you, opt for a cross cut machine. If your material is of a highly sensitive or top-secret nature then go for one of our High Security machines. More guidance on this topic can be found on our page: Which Security Level?
Will you need to destroy CD's, DVD's or Floppy Disks?
If so, you should consider one of the machines in our Multimedia section.
How much waste capacity do you need?
If you are a medium or heavy-duty user you should especially bear in mind the bin capacity of your shredder. The bigger the capacity, the less often it will need emptying. Remember in particular that strip cut waste takes up typically three times more space than cross cut, so if you don't want to have to empty your machine frequently go for the biggest bin possible and opt for cross cut if you can.
What width of paper do you need to shred?
All the shredders in our site will cope with A4 paper as a minimum, but if you need to shred A3 paper on a frequent basis or perhaps you produce print outs on wide format computer paper that need shredding, then you should look for a machine with a minimum feed width of 300mm. A shred width of 300mm or more can also increase productivity when shredding A4 paper as this size can then be shredded in landscape (across its long edge), which reduces the time taken for a sheet to pass through the machine.
Why Oil Your Shredder?
All Paper Shredders need shredder oil to continue to function properly. It is very common for paper dust to build up inside of the cutting assembly. After time, this sediment can become packed together like cement. Oil serves to soften this packed dust, which allows the movement of the cutting head. The proper movement of this head will push the dust out of the paper shredder. The finer the cut the paper shredder makes, the more oil it will need. Small particle cut shredders and high security specification machines require a lot of oil. Paper shredders, as with all electromechanical equipment, will not operate efficiently unless they are properly maintained. Periodic oiling is necessary to allow the shredder to operate at maximum efficiency. Frequency of oiling will vary greatly with the volume of use and the shred size. A shredder with a 5.8mm shred width used only 1 to 2 hours per week will only require a weekly oiling. A crosscut shredder, however, should be oiled every 1/2 hour of shredding time. The procedure for oiling a shredding machine is very simple and can be done by any operator. The oil is either packaged in a squeeze bottle or in pre-impregnated sheets. Always switch the machine off at the mains point before applying liquid oil. Oil from a squeeze bottle can be applied directly onto the cutting head in a fine stream. This is done through the paper entry throat. Take 1-2 seconds to oil from one side of the opening to the other. Run the machine in reverse for about 10-15 seconds to allow the oil to transfer to all parts of the cutting head. The final step is to shred a few sheets of paper to remove any excess oil. Alternatively, impregnated shredder oil sheets can be shredded like an ordinary sheet of paper to apply the oil. Some shredders come equipped with an oil reservoir and apply the oil to the cutters automatically as it is needed. This reservoir should be topped up as and when necessary from a squeeze bottle. Shredder oil is the only lubricant which should be used on your shredder. Shredder oil is of special formulation which leaves no residue on the cutters. Other oils will attract paper dust and in turn clog the cutting head.