Why I need to Shred – Shredding Company or In-House?

Why do I need to Shred Data?

On the 25th May 2018 a new law came into play, The General Data Protection Regulation (GDPR) affecting businesses of all shapes and sizes.

All business, Irish Business or International generate and process data through their operations. This data has to be created, managed and destroyed (i.e. Through a Paper Shredding Service, In-house Shredding and/or Hard-Drive Shredding Service).

The GDPR splits data mainly into two categories;

Personal Data (i.e. information which can directly connect to or identify a living person such as; name, phone number, medical history etc.)

Special Category Personal Data (i.e. personal data in relation to; ethnicity, political/philosophical opinions/beliefs, religion, mental health, criminal records etc.)

Each of the above categories have specific requirements when processing such information. This means it is important to know what category you are processing.

Enforcement Authority

Each EU state has an independent public authority accountable for enforcing the implementation of this regulation. This is the Data Protection Commission in Ireland.

The GDPR harmonized the rules to how data is to be managed in order to protect individuals. The management includes, the gathering/creation of the data through to the final destruction/disposal of the data through a paper shredding service or IT Asset Disposal Service.

Paper Shredding, Data Management, GDPR, Onsite Shredding Service, Shredding Service

There are serious implications that can occur if a business does not follow the GDPR requirements. It may be a warning or  a large penalty of at least 4% of your annual global turnover or €20 million – whichever is higher. Compliance is essential.

Shredding Service Industry Associations

There are many associations across the world for Shredding Companies to become a member. This provides peace of mind for individuals as the Association can apply guidelines for their members to be compliant with International Legislation.

Length of Time Storing Data Prior to Secure Shredding / Data Erasure

Information must be kept for as little time as possible. It is important to take into account why your company needs to store this data; is there a legal obligation? A system should be put in place with time limits/reviews and updates to out of date information/data.

To summarise, you need to shred/destroy out of date records/files/documents because it is the law. In order to be fully compliant it is invaluable to use a quality certified destruction service that will not only ensure all data is eradicated but will also provide compliance certification for your records. This will be invaluable when proving that your company/business is fulfilling their obligation to the GDPR.

The law is reason enough to shred on its own but how do businesses know what service best suits them? In our upcoming blog posts I will be discussing different types of shredding, what makes the shredding company you choose legally compliant and if onsite or offsite shredding would work best for you?

For Further info – please contact the team at Security in Shredding info@securityinshredding.com

Irish Companies must do more to protect themselves

In 2015 The Irish Computer society carried out a nationwide survey in order to ascertain data protection professional’s opinion in the area of data protection.

Data Protection

Results

The results show that of the 150 companies who took part in the survey, 15% had no data retention /destruction policy in place. This places these Organisations at sever risk of non-compliance with the GDPR due to come into force in May 2018. Another significant result from the survey showed that companies firmly laid the blame for 45% of all data breaches on employee negligence. Employee negligence can result in significant fines for Organisations that fail to have adequate procedures in place to manage Data Protection, secure paper Destruction/IT disposal, once the said information has reached its retention period.

Data Retention

In line with the Data Protection Acts, all data controllers are required to retain information for no longer than is necessary for the purpose. With that in mind, an accurate retention policy for all documentation ensures that a company can keep track of their different legal requirements. When there is no policy in place companies run the risk of losing data, storing both paper and digital files longer than is necessary, experience breaches in information security while also breaking the regulations under the Data Protection Act.

Data Destruction

The Data Protection Act places the responsibility on companies for the safe disposal/destruction of information in their possession. Responsibility for secure destruction, falls under the remit of the data controller and it their responsibility to ensure that their disposal practices are compliant. If a company intends to hold information regarding customers in order to enhance services to them in the future, customer consent must be sought!

Employee negligence

Employees with a grudge are responsible for some breaches, however many are due to employee negligence, maybe by ignoring a warning, not following proper procedures or just by human error. Employee breaches can fall into 3 categories:

  1. Innocent actions: wrongly addressed letters, misplacing mobile phones

  2. Careless or negligent: ignoring warnings that flash up on computer screen, releasing information in either the form of paper or IT equipment to a non-compliant individual/organisation to process.

  3. Malicious: the deliberate distribution of sensitive information to a third party

Innocent Data Breach Example

In 2016, American giant, Federal Deposit Insurance Corp experienced an innocent data breach through a past employee. The employee in question, “inadvertently and without malicious intent” downloaded a series of confidential documents relating to client and commercial information and saved them to a portable storage device. It is scenarios such as this that significantly justifies the importance for businesses (large & small) to have detailed Data Protection procedures in place. These procedures are created to establish regulatory compliant methods for processing, storing and the secure disposal of the data within their control. Providing peace of mind to management that their systems and practices are fully compliant.

Careless/negligent

Carelessness is one risk that is difficult to control from managements perspective. The best method for management to protect their business is to focus on what they can control. In this case, educating employees and establishing effective monitoring procedures are two factors that management can control.

An example of effective education and monitoring would be to implement secure console units (secure bins) throughout your office space and introduce a procedure for all employees, informing them to insert all waste paper data in the provided consoles.

confidential shredding, secure bin

At the end of each week, conduct a spot check on all the remaining general waste bins inspecting for waste paper data. Continue this process for a number of weeks, highlighting non-compliance to all staff members, implement disciplinary procedures and monitor for improvement to attain 100% compliance.

Malicious

Similar to human error, malicious behaviour is extremely difficult and near impossible to control. The best method of equipping your Organisation for this kind of behaviour is to review all employment/HR guidelines and clearly outline your Organisation’s stance on malicious behaviour. This can result in criminal conviction of the said employee if proof of the malicious behaviour has been recorded.

Conclusion

With the introduction of the GDPR from Europe, Data Protection has become one of the most relevant and important compliance areas for Organisations to review and correct if deemed necessary. Lack of preparation may result in business ending penalties from Europe and simply cannot and should not be risked. It may seem daunting to undertake such a review however the resulting protection will far outweigh the workload of completing the review.

Fail to prepare, prepare to fail!

If you would like to receive any further information upon the GDPR and how to become compliant, please contact the team at Security in Shredding.

Data Protection Commissioner opens new Dublin Office

With the introduction of the New General Data Protection Regulation (GDPR) due to come into effect in May of 2018, the news of the Data Protection Commissioner’s Office (DPCO) expansion is a great development for Ireland and Irish Companies.

The expansion has been made possible through additional funding secured in the 2017 budget. With significant fines and penalty increases for non-compliance with The GDPR, making sure your Organisation is in compliance is essential.

Guidance to achieve compliance

To date, The DPCO has released guidance documents to help all individuals and Organisations to become aware of the legislative requirements. From record management, data access requests through to certified paper shredding, all Organisations will be required to review their practices.

With the significant number of Global Technology Organisations with operations in Ireland, coupled with Indigenous Irish Companies, the role and workload of the DPCO has grown to a Worldwide level.

The GDPR is a game changer in Ireland and across Europe. “It is a law that is going to lead the standard for data protection globally” said Dixon at the opening of The DPCO in Fitzwilliam Square, Dublin. She added, “It will include key new rights to better control for users of their personal data, and imposes corresponding obligations on organisations that collect data,”. This includes both digital data processed and stored upon data carriers in addition to the physical data printed and stored in paper format. End of life data, both in paper and digital format will be advised to be disposed of appropriately through a confidential shredding company.

Data Protection Officer appointment

paper shredding Dublin, Hard-Drive Destruction

One of the many new requirements under the GDPR is to appoint a Data Protection Officer. This requirement is for specific Organisations whose core business activities will consist of;

  • Data Processing activities
  • Large scale processing of the categories of data relating to criminal convictions
  • Public Bodies & Authorities (excluding courts relating to their judicial capacity)

The Data Protection Officer is required to have a full knowledge of the risks associated with their Organisations processing activities. The GDPR has clearly identified the Data Protections Officer’s role as an independent one. They cannot be instructed upon the relevance of the DPO responsibilities or a matter relating to Data Protection.

Data Protection Officer Independence & Knowledge

Staff training upon Data Protection will be the responsibility of the Data Protection Officer in addition to providing expert advice upon data protection impact assessments. The newly appointed Data Protection Officer can also take on additional tasks if required to do so, depending wholly that there is no conflict of interest with GDPR compliance while completing the tasks.

For further information upon the GDPR and/or any Data Protection guidance please contact the team here at Security in Shredding.