Summary: Data shredding should be one of the key components of an organisation’s plan for remaining GDPR compliant.
My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me.
According to an IBM survey of 1,500 business leaders, 76% of respondents see the GDPR as a chance to create new business opportunities through improved data practices with clients, yet only 36% expect to be fully compliant with GDPR rules. These are worrisome percentages when you consider the immediacy of the regulation. At a time when privacy and consumer awareness are at an all time high, the GDPR figures to be the most disruptive force ever in privacy and security models.
With the GDPR taking effect on Friday, May 25th, organizations who haven’t thought about compliance with the regulation may need to consider drastic options. The regulation applies to electronic data (like emails and databases) and hard copy files (like paper, SIM cards, and other media). Compliance is mandatory so long as this information is kept by the organization. However, data shredding is an option. According to an International Data Sanitization Consortium report analyzing Article 1, Section 17 and Article 13, organizations must provide adequate proof of proper data erasure and can track the location of data from the time when it is available to be erased through when it is destroyed, also known as a chain of custody.
While verified shredding processes are an extreme option that may have detrimental effects to a business, this tactic has been used before. For example, British pub giant Wetherspoons decided that rather than obtaining consent for all the email addresses it’s collected over the years, it took a sledgehammer to the problem and deleted its vast email database. Destroying data in this manner, by the organization, may be looked upon as convenient, but under the GDPR, the very act of destroying data causes the regulation to take effect. In a simple twist, shredding will classify the organization as a data processor as it’s handling data, albeit its own customers.
As a data processor, a secure chain of custody is of the utmost importance so the best option would be to outsource this job. Using an ISO 27001 accredited shredding company will ensure your confidential data shredding processes are compliant with GDPR and The Data Protection Act. Shredding at the highest DIN security levels and shredding on-site, ensures the shortest chain of custody and significantly reduces the risk of a data breach. Additionally, for complete data destruction that can be verified by both parties, obtain a certificate of destruction to complete the data audit trail.
For data destruction, you can set up a regular schedule with a GDPR compliant secure data destruction provider to ensure hard data is shredded in a timely, secure, manner. There may be other options that arise in short order. In the EU, there are public and private organizations who are working together to help eliminate reputational and regulatory risk. DiskShred, Ireland’s leading on-site shredding provider, in association with the Irish Security Industry Association (ISIA), local enterprise boards and councils are promoting the secure destruction of information assets through public shredding events while also educating businesses on correct GDPR compliance.
Organizations are taking advantage of GDPR to improve their business operations, customer relationship and data privacy but there are still some who believe that compliance may not be mandatory. However for many, the solution has been simple: shred. According to the IBM survey, 70% of organizations say they are disposing of data in advance of GDPR, and 80% are reducing the amount of personal data they plan to keep.