BLOG – GDPR and secure data destruction: how to protect your business

Devon Contract Waste's secure data destruction collection vehicle with driver

Did you know that, according to a recent report from Ponemon Institute, 28% of data breaches are caused by employee error?

This might involve something as simple as leaving information on printers, not keeping data in locked cabinets, or hanging onto old hard drives.

This type of statistic should be particularly concerning as we come closer to the arrival of the General Data Protection Regulation (GDPR): a new EU legal framework that will come into effect on 25 May 2018. Many years in the making, the GDPR will be the first major step change in UK data protection legislation since 1998. The new regulation is an evolution of existing law, taking into account our digitised world and creating several new rights for individuals in relation to their personal data. The GDPR will also toughen up penalties for data breaches which could now reach up to €20 million or 4% of a firm’s global turnover, whichever is greater.

Secure data destruction is a critical element of every data protection strategy. We take a look at how managing your confidential waste can protect your organisation from the financial, legal and reputational risk of a data breach.

Data security

Article 5 of the GDPR states that information must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

In simple terms, this means you must take steps to ensure that the personal data your company holds can’t be accessed by anyone who shouldn’t have access, that it is kept safe, and that it is destroyed in such a way that it can’t be put back together.

This reflects the Seventh Principle of the Data Protection Act 1998 so is not a great surprise. But in terms of data destruction, there are two key differences under the GDPR:

  • Individuals now have a ‘right to be forgotten’ – except in certain exempt cases, people can ask an organisation to delete or destroy all information it holds about them;
  • Information may only be held for as long as necessary to deliver the purpose for which it was originally processed.

With potentially crippling penalties on the horizon, now is the time to take steps to ensure your data destruction process is fit for purpose.

What to do next

A good starting point is to carry out an audit of the types of personal data you process and how they are stored. Personal data is any “information relating to an identified or identifiable natural person” and could include invoices, quotes, emails, medical records, training documents, notebooks, post-its and more. Record how this information is held – is it on paper, electronic or cloud-based?

Consider whether your organisation would benefit from a data cleanse before GDPR comes into effect. If you have archived data waiting to be shredded, now is the time to tackle the backlog.

Work with your senior team to update your data destruction policy and train all staff to follow it. If you have a clear desk policy, ensure employees understand it fully. If you decide to take a ‘shred all’ approach to paperwork, ensure you have enough secure receptacles in convenient positions to encourage compliance.

Bringing in help

Internally shredding documents can be time-consuming and, of course, doesn’t take care of your electronic data such as hard drives, CD-ROMs and even the odd floppy discs you might still have. A third party provider can ease the headache of secure data destruction, but there are a few key questions to ask to ensure your organisation is protected from risk:

  • Does the provider have a waste carrier license?
  • What steps does the provider take to secure the data when it is removed from your premises?
  • Does the provider issue a certificate of destruction for your records?
  • Are the providers’ employees vetted and do they sign a confidentiality agreement?
  • Is the provider compliant with relevant standards such as EN15713?

Devon Contract Waste is licensed by the Environmental Agency and offers secure data destruction under EN15713 (Secure Destruction). Our DBS-checked employees and secure vehicles ensure your data remains confidential until it is destroyed, when a certificate of destruction is issued.

When the GDPR comes into effect on 25 May 2018, organisations will be expected to be fully compliant immediately. For help ensuring that your data destruction is secure and compliant, contact us for a no obligation quote today.