Is secure off-site shredding a myth?

Is secure off-site shredding a myth?

With an increasing surge of activity from UK organisations towards GDPR security, questions are being raised on the effectiveness of available solutions. Whilst off-site shredding boasts convenience and cost efficiency, there can be underlying issues.

Mark Harper of HSM UK leads an investigation into the validity of claims made by off-site shredding services, versus the advantages of moving your shredding in-house.

Despite the activity surrounding GDPR, the UK government has been criticized by many for not making both the regulations and solutions clear enough.

So, as data protection officers across the UK make moves towards GDPR preparation there are questions consistently being raised concerning the most secure route to take in data protection.

In the midst of this confusion some are opting to outsource their shredding services – using third-party solutions that promise to deal with GDPR compliance away from the office.

However, with increasing emphasis on compliance, is the promised security of off-site shredding actually a myth?

A common misconception

At face value, off-site shredding services offer convenience. Placing your shredding responsibilities away from the office for a monthly cost removes the issue of having to do so in-house. Whilst this may seem the clear choice for some, can these services really be relied upon?

Despite the suggested convenience, inherent risks such as complete confidential documents sitting in consoles, often with basic locks for days or even weeks, multiple handlers, often very low security levels and external errors could all lead to that dreaded data breach fine.

Once paper documents containing private information are taken off-site, those confidential documents can be handled by multiple people as part of the process.

What’s more, you can’t be sure of the exact security level shredding services are shredding your confidential documents to. Many people think that their shredding service is shredding to a similar particle size as a cross cut office shredder, but often shredding trucks and off-site shredders will barely meet the lowest level P-1 DIN security standard. Can you confidently say that you know what size your paper is shredded to? The new GDPR coming into force in May this year states you should, as you are still responsible for the security of your confidential personal information even after you have handed it over to a contractor to shred. So, what can be done to ensure you meet GDPR compliance when using a shredding service? Chiefly, you should audit your shredding service provider periodically to ensure they are providing an appropriate level of security.

Thoughts also then turn to the likelihood of errors and/or accidents. Whilst there are mobile shredding trucks, many external shredding services will pick your documents up to then transport to a shredding depot. Through transportation your confidential documents are at risk of breach via accidents, loss, driver error or even theft.

To put it simply, control is completely taken away from your organisation. It is also fundamental to know that you still bear the full responsibility for the security of personal information on the documents you have handed over, even when handed over to an external shredding provider.

What’s more, most shredding service providers issue a “certificate of destruction” as a confirmation that documents have been destroyed. However, the certificate is meaningless – specific documents are not logged or individually tracked. It merley represents the fact that a large quantity of unspecified documents have been collected and destroyed to an unspecified standard –which offers no protection in the event of a data breach whatsoever.

However, when using an office shredder at P-4 or above you know the document has been securely destroyed beyond any reasonable doubt and there’s no need for a certificate to prove that this has been done successfully.

Shredding your profits

In addition to the aforementioned security risks, monthly costs spent on external shredding services can quickly add up. With the impending regulations likely to increase shredding output these monthly costs can negate the originally offered cost effectiveness.

As many organisations are finding out, using an in-house solution is considered a more financially viable answer to GDPR compliance. A shredder can be up to 80% cheaper to operate over 5 years compared to a third-party shredding service.

These savings aren’t only applicable for office-based organisations but they also apply to small and medium-sized-enterprises alike.

An NHS establishment, Frimley Park Hospital, found substantial savings when installing a large HSM in-house shredder-baler machine. The hospital recovered their capital investment on the installation for less than 12 months’ cost of their former shredding service contract, Over a 6 year period, they saved over 80% of costs which they would have otherwise incurred if they had retained their shredding service.

The hospital has also been able to generate income from the sale of their baled shredded paper waste. A secure investment, whilst also having the peace of mind knowing that confidential documents are safely and securely destroyed on-site.

Inner security

GDPR awareness is now a hot topic, so organisations looking to implement an in-house solution should look to take action now.

In the first instance, having a clear data protection and shredding policy throughout your organisation is one of the best ways to remain compliant. It’s advised for teams to shred little and often and to secure all confidential documents by implementing a clear desk policy. Staff should get into the habit or routinely shredding everything as soon as the document is no longer needed.

Staff awareness is one factor to not be forgotten. Employing a data protection officer is the right way to begin preparation but it’s imperative that company-wide awareness and training are not overlooked. All staff within an organisation must understand the risks of GDPR, including what is classified as personal and confidential documentation, how to handle and dispose of it, and what do when they suspect a data breach.

Whilst some may argue for the efficiency of third party shredding services, it’s much safer to ensure all staff are aware of GDPR and deal with it in the most appropriate ways internally. After all, using a shred on-site policy is classified as a more secure solution under the DIN 66399 standard than subcontracting.

It’s important to consider the added security of shredding in-house. Using an internal shredding solution gives you and your organisation full control, removing all possible liability issues that may come with subcontracting. Not to mention the beneficial factors of long term cost savings.

Dealing with GDPR internally means liability lies with you, and you only. Don’t compromise on security, maintain compliance internally.

 

Sources

http://www.computerweekly.com/news/252436566/UK-government-criticised-over-lack-of-GDPR-explanation

https://www.fhft.nhs.uk/your-hospitals/frimley-park/

 

Is secure off-site shredding a myth?