Interviews

GDPR goes beyond digital

by Mark Rowe

Mark Harper, Head of Office Technology at the shredders and office machines company HSM, stresses the importance of remembering that GDPR goes beyond digital.

It has now been over six months since the General Data Protection Regulation (GDPR) came into effect in May. For some, this year has reinforced that the data security processes they have in place are in fact legitimate, but for many it has been a wake-up call. As stories continue to emerge of data related ‘slip ups’, it appears we’re still experiencing some GDPR teething problems. It is now more important than ever to reinforce the significance of protecting both digital and hard copies of confidential information in the correct way.

This applies to everyone. Those who are still unsure or have already been reprimanded for non-compliance need to rectify their efforts. Even the teams who are confident in their processes need to remain vigilant to ensure they don’t become complacent, reverting back to a lax view on data protection once more.
Negligence has already penalised so many, with one law firm claiming that there were 6,281 data breaches notified to the ICO in the first 40 days after GDPR went live.

It’s true that as we gravitate towards a digital document utopia, sufficient focus should fall on digital security. Organisations are failing to remain compliant in this area and are falling victim to heavy fines. International healthcare group, Bupa, was recently fined £175,000 by the Information Commissioner’s Office (ICO) after an employee was able to extract personal customer information and sell it on the dark web. Yet, as the ICO exclaims, we should be looking beyond passwords in order to meet these new data protection laws. It’s not enough for organisations to focus solely on digital practices. GDPR goes further than digital security. Paper copies continue to remain part of our processes which is why it should instead be seen as a companywide adjustment for information security as a whole. Personal data can be misplaced and misused whether it’s encrypted databases or paper copies.

For busy HR departments, it’s no exaggeration that paper normally comes in stacks, all in the form of employee records, payrolls, contact information and even medical information, to name a few. One guide produced specifically for HR departments promotes the immediate disposal of non-compliant paperwork as one of the day-to-day changes data controllers should introduce. With this, shredding should be completed on site, as soon as a document is no longer needed. And for this, cross cut shredding is recommended as the best course of action. A simple implemented mantra of “Shred All”, “Shred Where You Work”, Shred Now” and “Shred Little and Often” can be the real key to your organisation’s long-term paper document security.

Almost 10,000 patient records were lost or stolen from NHS trusts last year – leading to fines. These incidents happened within 68 trusts across the country, proving that this wasn’t just an anomaly. It would appear that the NHS, like many, was lacking accountability for its data security. To tighten patient security the NHS has since published a set of good practice guidelines with information on how to clear hard disk drives and how paper based information should be cross cut. As referenced in their guidelines, strip cut or low security shredding is no longer suitable in the effort to sustain compliance. Instead, data coordinators are asked to destroy documents containing patient identifiable data on site to a minimum of 4x15mm cross cut – which effectively means using a P-5 security level.

It’s also becoming more commonplace for organisations to have an active data protection officer, whether in a full or part-time role. While this isn’t a necessity, it is beneficial. Up until now, a lack of responsibility has contributed to the growing number of incidents that are leaving organisations with fines, such as with the NHS. Appointing someone to take responsibility is just the first step. Ensuring focus is split between both digital and hard copy data is the second. Not only should time and effort be put into bolstering cyber security but also other media types such as paper documents, which are instantly recognisable and highly portable.

However, with hard copies of information especially, some opt for the quick and easy options, which can be unfortunately counterproductive. Those that are commonly viewed as the cheaper options (outsourcing and substandard shredding products) can carry a heavy burden of insecurity and, while these solutions can seem to be an inexpensive resolution to your GDPR problems, they could cost more in the long run. As many have found out, outsourced shredding solutions are not always as secure as they claim, and cheaper shredding products are less reliable in the long run. This quick fix mentality is no longer suitable for keeping confidential information secure. Leading your security efforts with a view of obtaining the cheapest solution can land your organisation in hot water. Whether for digital or paper-based data, we can no longer afford for security to be a second thought.

Visit https:/hsm.eu/.

Related News

  • Interviews

    TI on FIFA

    by Mark Rowe

    After Swiss and US investigators began criminal proceedings against FIFA for alleged money laundering in connection with the 2018 and 2022 World…

  • Interviews

    Corruption survey

    by Mark Rowe

    Lawmakers across the Asia-Pacific region need to do much more to support whistle-blowers; and governments must keep promises to combat corruption, including…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing