On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, which meant a host of new rules governing the collection, storage and processing of all types of personal data belonging to citizens of the EU. This means that any business that holds the data of EU citizens must comply with the regulations. The GDPR made headlines thanks to the number of emails that individuals received due to companies needing to update their mailing lists and gain consent and there was also an overhaul for privacy and cookie settings on websites.
However, it is important to note that the GDPR was brought in to help manage the storage and handling of all types of personal data. One of the key factors in the GDPR rules is that companies must take a far more stringent approach to data breaches and the secure storage of information. Failing to do so can lead to the business being fined up to €20 million or four percent of the company’s global turnover (whichever is greater).
Inevitably this means that companies need to place a focus on preventing data from being stolen or lost. One of the most important ways to do this is through understanding how and where data is stored, and how it is destroyed. Here we look at some of the things you need to know in order to ensure that your approach to data destruction complies with the rules of the GDPR.
Review Where Your Data Lives – Don’t Overlook Physical Documents!
If you have not already done so, it is vital that you should create a plan to ensure that you are correctly handling, storing and destroying data. The first step in this process is to take an overview of your whole operation so that you can completely understand how and where data is processed. You might assume that this is simple, but when you get down into the details you may find that it is far more complex than you imagined.
Firstly, you might assume that all of the data you hold is on files on an internal server. However, it is very likely that it also exists in a number of other places, including private devices that are not connected to the server (such as employees’ private laptops, tablets and phones). Data may also be printed and kept as paper copies, with no real process for the safe destruction of such data when it is no longer required. This can be a huge GDPR compliance issue. For instance, the Avis Budget Group had a large amount of paper documents that required digitalizing in compliance, and at a rate of 150 pages per minute – it took two weeks to go from paper to cloud storage. See the case study here.
1. Advice on Secure Document Destruction
For your next step, you need to create a paper document destruction policy and ensure that it is completely explained to staff, as well as emphasising why they must follow it. You could, for example, create a poster that can be put up in various places around the workplace that explains exactly how, when and why documents must be required.
The policy should state that employees must dispose of document and media in shredding receptacles where no one can gain access to the documents after they have been deposited. You can then bring in third party document destruction specialists to destroy the documents. In most cases, companies will offer a service where this is done on-site for the highest levels of security.
2. Is There a GDPR-Compliant Shred Size?
The GDPR does not set a specific size that documents need to be shredded to in order to comply with the regulation. However, if you work with a reputable document shredding business, they will have the industrial-sized equipment that will be able to handle the documents and shred them in accordance with standard rules and best practices. This is a far preferable method than to waste your own employees’ time feeding individual documents into a standard office paper shredder.
3. Choosing the Right Document Destruction Service
Take some time to do your research into the document destruction that you employ to carry out the work for you. Make sure that you fully understand their process and that they are honest and transparent with you. Ensure that you know where the waste is going, whether it is being destroyed on your site and, if not, where the documents are taken in order to be destroyed.
It is true that the GDPR covers far more than the deletion of physical documentation, as the rules apply to the storage of any kind of personal data. However, physical documents are often overlooked when attempting to achieve to GDPR compliance, so it is important that you take the time to understand the processes that your business uses and to update them accordingly.
For more tips on how to comply with GDPR, check out our recent post: Lessons in Digital Transformation from a Data Protection Officer (DTO) Post-GDPR.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign