Secure data destruction and Brexit

What changes are secure data destruction companies seeing as a result of GDPR? The British Security Industry Association explores

The British Security Industry Association (BSIA) prides itself on being able to represent members from various sections across the professional security landscape and being the kite-mark for quality and professionalism. Information destruction is one of the most vital security sectors especially with a nationwide focus on privacy and 2018’s introduction of GDPR.

So, what is secure IT disposal?
Mark Wilding, of Concept Management UK Ltd, said the demand for technology is speeding up the pace at which devices reach their end point. With this becoming a global issue, devices need to be responsibly recycled rather than disposed of due to data security and the WEEE Directive. Police Forces have similar issues, especially when dealing with their own personal data. Concept was created to aid police forces with adhering to new rules and environmental legislation. The company focusses on the 3Rs – Reduce, Recycle and Reuse in accordance with waste regulations.

Wilding defined Secure IT disposal as “Any situation where the data controller transfers custody of an IT asset to a third party for management or processing whether on a temporary or permanent basis.”

He added that threats to data security are not confined to the physical and technological, but also to asset disposal, which security policies frequently overlook. It is essential for secure disposal of data to prevent any data breaches and ICO fines. Furthermore, it is crucial for secure disposal service providers to be completely vetted to ensure that they have the necessary accreditations, licences and permits.

The effects of changes to data destruction, with the implementation of GDPR, have been recognised by BSIA members.

Don Robins, managing director of Printwaste Recycling & Shredding, and chairman of the BSIA ID Section, explains: “Data destruction and GDPR can be straight-forward. Destruction is the end of a life cycle for data—destroying paper documents or computer hard drives when you no longer need the data (on them) is what makes us all safe. Using a professional data destruction company under contract that provides you with a certificated destruction, thereby complying with GDPR, is your proof that losing confidential data is not a risk. Whilst it can be straight forward, data loss at the point of disposal is a serious issue—BSIA registered members (have the resources/equipment and) provide the guarantees that give you and your clients assurance that you are compliant with GDPR data disposal requirements.”

Jonathan Richardson, Russell Richardson & Sons Ltd, adds: “It’s often the most straightforward and simplest of methods that are the most effective and that’s certainly the case for data destruction. Physical destruction by shredding continues to be the fail-safe method in an era of tightened regulation and public awareness. Whilst cyber criminals have the potential to develop and find ways around other data security systems and data wiping software, once data is shredded, it’s gone. Since the introduction of GDPR, peace of mind when it comes to data destruction, and proof in the form of certification, has never been more important for organisations looking to protect their data and reputations.”

Protection procedures
B&M Secure Shredding has seen an increase in businesses wanting to include data destruction as part of their protection procedures. They adhere to BS EN15713: 2009 standards, giving customers confidence on adherence to legislation and BSIA guidelines.

Paul Curtis, Director B&M Secure Shredding, comments: “All paperwork within a business has the potential to contain personal information which is what GDPR legislation sets out to protect, but where GDPR doesn’t apply, it’s just great business sense to be cautious in ensuring that competitively sensitive information does not fall into the wrong hands. Securely shredding paperwork removes this risk. Momentum on fining those in breach of the legislation is growing and we urge companies not already shredding their confidential paperwork to look into compliant options as soon as possible.”

The team at Document & Data Shred Ltd noted how important it is for businesses to use an accredited company. The introduction of GDPR has recognised the need to dispose of private information to reduce fraud and the standard office shredders are not good enough. Why? Because most machines strip shred instead of cross shred documents. They said “GDPR compliance requires evidence that documents are securely destroyed; a certificate of destruction will document the date, time and details of shredding."

These new laws had a huge impact on Document and Data Shred Limited, a family business based in Reddish, Stockport providing their services throughout the North West. Greg Humphreys, managing director, witnessed the huge increase of paper coming through the door which lead Greg to make the decision to invest in a new machine to meet the industry’s needs, purchasing a Lindner Industrial shredder Micromat 2000 promising to shred seven tonnes per hour.

Ian Osbourne, Vice President UK & Ireland for Shred-it, said: “At Shred-it, we have spent the last two years advising and supporting businesses to improve their information security practices and help facilitate their compliance with the EU GDPR. The new regulation has been designed to increase the level of protection for individuals regarding how their personal data is stored, collected, processed and managed. However, we have noticed that many firms have struggled to identify what actually constitutes sensitive data and with increasing threats to data security and the changing business landscape, companies need to do more to ensure the protection of consumer data.

“Many believe the GDPR is mostly geared towards protecting online data from cyber criminals, meaning numerous businesses have failed to put measures in place to protect other types of data, namely physical. This is a concern and means that those confidential paper documents left on a desk, or even thrown in the bin, could land a company with large fines of up to €20 million, or four per cent of a company’s annual turnover, whichever is greater.”

Simon Franklin, managing director, Shred Station, adds: “Since the introduction of GDPR, we have seen a large increase in people asking for one-off shredding services. As more cases of GDPR violations appear in the news, organisations of all sizes are realising that there is a genuine need to have a paper trail for every single item of confidential data they hold. This includes everything from how data is collected, how it is stored, who it is accessed by, and, ultimately, to how it is destroyed. Retention periods only allow a certain amount of time until archived data must be disposed of. Because of this, many of our one-off customers contact us to have large quantities of their archived information destroyed responsibly.”

Paper Round, part of the BPR Group Europe Ltd, provide a security solution at their own secure shredding and data destruction facility as the GDPR era has made people more conscious of their personal data. They said “We guarantee not only a clear audit trail of data destruction but also that no e-waste ends up in developing countries jeopardising the health and wellbeing of millions of people. This is vital for us. Here at Paper Round we strongly believe that we can provide our clients with the best confidential services through BS EN 15713 while still ensuring an ethical approach to recycling.”