Demystifying GDPR to raise staff awareness

When it comes to the General Data Protection Regulation (GDPR), more and more businesses are opting to move towards internal shredding in a bid to maximise security levels. Mark Harper of HSM UK calls for business owners to educate staff in handling and destroying documents in preparation for GDPR, in a bid to aid organisation effectiveness and avoid possible repercussions.

Complacency is one of the biggest mistakes business owners can make, yet most of us choose to procrastinate big decisions rather than dealing with them straight away. It’s human nature.

For many, however, a lack of preparation for GDPR comes down to a lack of awareness of what will be required, or worse – indifference. That said, a report from January of this year shows that only 38 per cent of businesses have heard of GDPR. Of that figure, only 27 per cent say they have made changes to how they operate.

With many business opting to swap over to internal shredding from external shredding services, when it comes to handling sensitive documents, raising staff awareness is crucial to remaining compliant.

Preparing now for later

Choosing to invest in an in-house shredding solution allows organisations to take control of the timeliness and appropriate security level of document destruction, and can also be notably cost effective.

As a business owner, the appropriate staff training in accessing, handling, storage and destruction of personal data should be an integral part of any GDPR compliance plan.

Staff should have a clear understanding of what constitutes personal and sensitive personal data. In addition, staff should know how to handle data and ultimately how to destroy it securely at the correct security level, rendering it harmless.

Part of GDPR preparations should entail staff education on all types of documents that should be destroyed immediately on-site, rather than by external parties with the potential uncertainties that come with that.

What are confidential documents?

Many businesses do not pay sufficient attention to securely handling confidential paper waste. Yet if staff had a clear-cut idea of what classifies as confidential documents, they would at least be more conscious of how they’re handling and disposing of different data.

For the sake of ease, you can effectively narrow down the different types of confidential documents into three categories:

  • Personal data: customer orders, delivery notes, invoices
  • Sensitive data: HR records, medical information.
  • Commercially confidential data: financial documents, business strategy and policy, product and patented information

These are the documents that staff should recognise as potential data threats which they should shred as second nature.

Which leads us onto the shredding policy…

Better safe than sorry

For the avoidance of doubt, staff should get into the habit of shredding all documents, all the time as soon as they are no longer required. Shredding documents with the right equipment should be quick and easy and could save you from the worry of a potential data breach.

Many organisations preparing for GDPR are now implementing a “shred all policy” as a matter of routine. Indeed, some best practice examples are where all waste paper bins are removed, and any paper that would have been thrown in a bin before, is now shredded. Clear desk policies can also help with GDPR – ensuring that potentially sensitive information is locked away out of sight of visitors and third parties in your offices.

Staff should be encouraged to shred everything, little and often. That way, it becomes a part of their routine and it avoids confusion about which documents to dispose of. The average working document can be dropped into an office shredder and is rendered harmless in just a few seconds. Working like this also prevents the build-up of a huge insecure pile of shredding which everyone dreads being sent off to shred.

If there are departments that have large amounts of shredding, for instance when clearing archives, then a suitable large departmental shredder can shred up to 40 sheets securely in less than 5 seconds, making light work of even the largest pile of documents.

The bottom line

Early last year, only 28.7 per cent of respondents to IT Governance’s EU GDPR Report said they had allocated a budget for providing staff awareness training. Preparing for GDPR isn’t a one-size-fits-all process, so proper staff training should be a priority and certainly not overlooked.

Businesses may have to implement minor or major process changes to prepare for GDPR depending on the company’s current practices and procedures when it comes to processing personal documents. However, having a policy for destroying internal documents and putting small or simple changes into place now can help towards GDPR compliance and save you the trouble later.

Sources

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/675620/Cyber_Security_Breaches_Survey_2018_-_Preparations_for_the_new_Data_Protection_Act.pdf

https://uk.hsm.eu/media/content__hsm_global/data_protection/hsm_gdpr.pdf

https://www.itgovernance.co.uk/blog/many-companies-still-havent-allocated-a-gdpr-staff-awareness-budget/