With an increasing surge of activity from UK organisations towards GDPR security, questions are being raised on the effectiveness of shredding solutions. Mark Harper, Head of Sales at HSM UK investigates into the validity of claims made by off-site shredding services, versus the advantages of moving your shredding in-house.
As data protection officers across the UK make moves towards GDPR preparation there are questions consistently being raised concerning the most secure route to take in data protection.In the midst of this confusion some are opting to outsource their shredding services, using third-party solutions that promise to deal with GDPR compliance away from the office. However, with increasing emphasis on compliance, is the promised security of off-site shredding actually a myth?
A common misconception
At face value, off-site shredding services offer convenience. Despite this, inherent risks such as complete confidential documents sitting in consoles, often with basic locks for days or even weeks, multiple handlers, often very lowsecurity levels and external errors could all lead to that dreaded data breach fine.
Once paper documents containing private information are taken off-site, those confidential documents can be handled by multiple people as part of the process. What’s more, you can’t be sure of the exact security level shredding services are shredding your confidential documents to. Many people think that their shredding service is shredding to a similar particle size as a cross cut office shredder, but often shredding trucks and off-site shredders will barely meet the lowest level P-1 DIN security standard. Can you confidently say that you know what size your paper is shredded to?
The new GDPR coming into force in May this year states you should, as you are still responsible for the security of your confidential personal information even after you have handed it over to a contractor to shred. So, what can be done to ensure you meet GDPR compliance when using a shredding service? Chiefly, you should audit your shredding service provider periodically to ensure they are providing an appropriate level of security.
It is also fundamental to know that you still bear the full responsibility for the security of personal information on the documents you have handed over, even when handed over to an external shredding provider. What’s more, a shredding service providers’ ‘certificate of destruction’ merley represents the fact that a large quantity of unspecified documents have been collected and destroyed to an unspecified standard, which offers no protection in the event of a data breach whatsoever.
However, when using an office shredder at P-4 or above you know the document has been securely destroyed beyond any reasonable doubt and there’s no need for a certificate to prove that this has been done successfully.
Shredding your profits
Monthly costs spent on external shredding services can quickly add up. As many organisations are finding out, using an in-house solution is considered a more financially viable answer to GDPR compliance. A shredder can be up to 80 per cent cheaper to operate over five years compared to a third-party shredding service.
These savings aren’t only applicable for office-based organisations but they also apply to small and medium-sized-enterprises alike.
Having a clear data protection and shredding policy throughout your organisation is one of the best ways to remain GDPR compliant. It’s advised for teams to shred little and often and to secure all confidential documents by implementing a clear desk policy.
Staff awareness is one factor to not be forgotten. Employing a data protection officer is the right way to begin preparation but it’s imperative that company-wide awareness and training are not overlooked.
Whilst some may argue for the efficiency of third party shredding services, it’s much safer to ensure all staff are aware of GDPR and deal with it in the most appropriate ways internally. It’s important to consider the added security of shredding in-house. Using an internal shredding solution gives you and your organisation full control, removing all possible liability issues that may come with subcontracting. Not to mention the beneficial factors of long term cost savings.
Dealing with GDPR internally means liability lies with you, and you only. Don’t compromise on security, maintain compliance internally.