All potentially sensitive information of both a personal and business nature should be disposed of securely to avoid the risk of corporate fraud, identity fraud, industrial espionage and even international espionage – for example, if you are a contractor or supplier to the government, MOD, NATO, etc. Despite a great deal of publicity and adverse headlines, even now, many organisations and individuals still throw out confidential documents without thinking of the potential consequences should the files end up in the wrong hands. Since the Data Protection Act was passed in 1998, companies are obliged to destroy hard copies of information on individuals or organisations that could put that person or organisation at risk should the information become public knowledge.
For a detailed look at why shredding paperwork and other media is crucial, read our blog post on this topic here.
General Data Protection Regulation (GDPR) & Shredders
A new data privacy law came into effect in May 2018. It’s called the EU General Data Protection Regulation (GDPR) and was a complete overhaul of the legal requirements which must be met by anyone involved in handling personal data of UK and EU citizens. The aim of the regulation is to give citizens greater control over what can be done with their personal data by businesses. This will be enforced by large fines – up to £17.5 million or 4% of a company’s global turnover – for non-compliance.
A business of any size must comply if it’s involved in regular ‘processing’ of certain categories of personal data, which includes collecting and storing as well as using personal data.
The remit extends to paper based as well as electronic data with around 40% of non-compliance estimated to come from paper based practises*. All businesses should support a paper security policy – including shredding facilities.
Full compliance will be important because the powers of the directive extend beyond the borders of Europe and apply to any business which handles EU citizen data, whether or not the business is based in the EU.
Paper data breaches. How they happen and how to avoid them. The facts.
GDPR requires that organisations apply sound security practices to all electronic and paper-based personal data with respect to its collection, storage, access and disposal. Part of the requirement is to put plans in place for what should happen in the event of a breach. Whilst electronic data security has been prioritised by many organisations for many years, the security of paper based personal data is often neglected or overlooked. Statistics indicate that around 40% of data breaches may be paper based.
In recent research, one quarter of employees admit to not shredding confidential information whilst two thirds of respondents said that managing the risks associated with paper records was a top concern for them**. Indeed, only 27% of companies surveyed reported policies for the safe security, storage and disposal of confidential personal information**.
This puts organisations at risk of non-compliance and data subjects at risk of fraud and identity theft.
Paperwork still accounts for many common security breaches. According to the UK’s data protection regulator, the Information Commissioner’s Office (ICO) 40% of the 598 data security incidents recorded between July and September 2016 were attributable to paper breaches. These included loss or theft of paperwork (14%), paperwork posted or faxed to the wrong recipient (19%), data left in an insecure location (4%) and 3% due to insecure disposal of paper.
Introducing clear rules about the use of paper documents containing information about an identifiable person and their personal data – defining what is ‘personal’ - and then the process for correct shredding of documents – based on the sensitivity of the data contained – is the first step towards compliance.
A clear and firm document shredding policy is required supported by robust GDPR compliance process.
* Source: Beyond good intentions: The need to move from intention to action to manage information risk in the mid- market, PwC report in conjunction with Iron Mountain, June 2014. ** 2014 PwC report in conjunction with records management company Iron Mountain, surveying European mid-market companies on their perception and management of information risk
Examples of business documents that should be shredded include:
• Human Resources - Salary details, personal data, restructuring plans, pension records, banking details.
• Sales and Marketing - Sales forecasts, customer data, competitor information, new product development.
• Production - New tooling, drawings, costing, work schedules.
• Reception - Visitor information, staff movements.
• Photocopier/Printer/Fax - surplus or incorrectly reproduced sensitive documents should be shredded to reduce the security risk.
Personal documents that should be shredded include:
• Financial - Bank statements, phone bills, and utility bills.
• Personal – Letters & envelopes, any correspondence that may contain personal/address information.
It is also a good idea to ensure that old CDs which may contain sensitive information and credit cards are shredded too.
How sensitive or confidential is your waste?
There are two types of cut available from our range of shredders: strip cut or cross cut (also known as confetti cut). The more confidential your waste the smaller the pieces/particles it should be shred in to. If security is important to you, opt for a cross cut machine. If your material is of a highly sensitive or top-secret nature then go for one of our High Security machines. More guidance on this topic can be found on our page: Which Security Level?