Document shredding: why you can’t afford to cut cornersBen Chambers, Regional Operations Manager at at Restore Datashred Ltd, outlines the legal framework for document destruction, and the consequences of mishandling sensitive information.

Caelia Quinault

In our modern-day data-driven economy, the way that data is handled is key to the way businesses and organisations are run, how individuals feel about their role and relevance in society, and how governments legislate.

In 2018, the General Data Protection Regulation (GDPR) was introduced across the EU, with ramifications for all sizes of enterprises, institutions, and organisations. The UK introduced the upgraded Data Protection Act (2018) to reflect and even enhance some of the GDPR’s statutes. This legislation is now called the UK GDPR.

The UK GDPR is built around a framework of seven principles:

– Lawfulness, fairness, and transparency
– Purpose limitation
– Data minimisation
– Accuracy
– Storage limitation
– Integrity and confidentiality (security)
– Accountability

These principles should inform every step of personal data acquisition and management (2-4), who is responsible at what stage (7), and includes when and how said data should be destroyed (5-6). There are new upgrades within these principles in response to the burgeoning use of AI, with the recognition that these parts of the law will need to be modified quite frequently.

As we can see, there are solid statutory building blocks in place for protecting the individual from abuses being perpetrated knowingly, and even unknowingly, by all manner of businesses. No matter what the size of your company, or the industry you are involved with, it is the law to comply with the data protection principles. Break these and there are consequences.

The consequences of mishandling sensitive information

UK GDPR is regulated by the Information Commissioner’s Office (ICO), and they have the power to cause some real damage should they find a business negligent or acting contrary to the law.

In the news over the past couple of weeks, for example, two energy businesses have been handed down fines of tens of thousands of pounds each for making unsolicited marketing calls to individuals named on the ‘do not call’ register; TikTok was fined £12.7 million for misusing children’s data, and county councils and police forces have received stiff rebukes for the way they have used public and witness data.

These penalties create a financial headache, a loss of reputation and a potential hit to the bottom line. If you’re a records or archive manager, facilities manager, office manager, data protection officer or any other role that has responsibility for data within a business – and that goes all the way up to the highest ranking executives  – it means you need to look after confidential information properly, all the way through to its destruction.

Is there such a thing as ‘improper’ document shredding?

Yes! Simply put, improper document shredding means enabling gaps in any end-of-life process for confidential waste paper or digital media, gaps that allow risk to creep in. Here are some of the ways that can happen:

  • Lack of a retention and disposal policy
  • No data protection policy or officer
  • Using an in-house shredder – this can be time consuming, slow and, if no one person oversees this job, runs the risk of documents stacking up until someone has time to deal with them, and may be allied with no system for confidential waste disposal
  • No secure waste stream in-house, so sensitive data can end up in the general rubbish or paper recycling streams and is vulnerable to being seen – or found by the unscrupulous
  • Sending documents to be recycled instead of shredded
  • Using unaccredited companies to destroy your documents.

How does ‘proper’ document shredding mitigate the risks?

Any reputable shredding company, like Restore Datashred, employs best practices for secure and compliant document shredding including:

  • Modern, secure collection and mobile-shredding vehicles, tracked by satellite and traffic management software, and driven by BS7858-cleared and trained operatives
  • Lockable bins and cabinets on your site to set up a secure – and separate – waste stream for confidential paper and digital media for destruction
  • 24-hour security and entry protocols at all destruction centres
  • Unbroken chain of custody backed by a digital audit trail
  • Certificate of destruction after each transaction
  • Accreditations worked towards, achieved, and maintained as part of a drive to meet and exceed standards at all times
  • A range of shredding services to suit offices, home/remote workers, high volume industries, quick turnover sectors, and occasional archive clear-outs alike
  • Tailored collections that suit you
  • And, although this is not strictly data protection and security, sending 100% of paper for recycling.

There are many good reasons not to cut corners when it comes to modern, responsible data protection. You may be pleasantly surprised that compliant document shredding is worth its weight in gold for the peace of mind it brings.