Is the UK choosing the correct GDPR solution?

 

The change in data protection is almost here. With GDPR introducing new regulations in May, many businesses have now started to make the necessary strides towards compliance. However, questions can be raised as to whether or not UK businesses are preparing in the right way. This uncertainty could lead to compliance issues in May when data protection rules change. It’s time for the UK to educate itself. Every organisation in the UK should now be making preparations for GDPR, if they haven’t already done so. Research in November 2017 recorded that only 1 in 5 large businesses in the UK were ready for GDPR at the time.

On first glimpse of this figure an initial ‘panic-stricken’ reaction is justified. However, what must be considered is the amount of time it takes organisations to put their processes in place. Businesses aren’t necessarily just sitting idly by waiting for May to come around. And if they are, they’re likely to be in trouble when the time comes. At the time of the afore-mentioned report it was documented that 4 in 10 businesses had a detailed GDPR compliance plan in place. This figure is likely to have increased as we enter 2018 with businesses continuing to put processes in place, such as internal shredding, to defend themselves.

Starting with the best form of defence

Shredding should be one of the key components of an organisation’s plan for remaining GDPR compliant. However, many organisations are still under the impression that external shredding services may be their best option, which isn’t the case. Subcontracting is seemingly the easy option for some, with shredding being taken off-site for someone else to deal with. Yet, what is commonly forgotten is the question marks above off-site cost effectiveness and security levels.

Investing in an in-house shredder removes those questions about cost effectiveness and the security levels of your shredding. An in-house solution can be up to 80% cheaper to operate over a five-year period compared to a third party shredding service.

Not only this, but your organisation then has the peace of mind knowing that you’re shredding at a level that keeps your data secure. In-house shredding means your confidential information is destroyed immediately, rather than sitting around, complete, in sacks or consoles that can be easily accessed for days or even weeks. All positives then, but first, you must identify your required shredding security level – classified by a DIN level scale.

DIN 66399 security levels – better to be safe than sorry

As organisations begin to move towards a shred-on-site system, DIN security levels can no longer be ignored. A way of defining the different type of cut, DIN levels are able to help determine the appropriate security level for your requirements.

DIN security levels range from P-1 to P-7, with security level P-1 recommended for ensuring low level documents (such as out of date brochures) are illegible and level P-7 being classed as military grade protection which turns paper into the tiniest of particles.

Generally, HSM recommend most organisations use a minimum security level of P-4 for general office shredding to ensure protection from potential breaches. However, there’s an increase in organisations choosing the higher P-5 security level for departments such as HR and Finance, where highly confidential personal and commercial information is handled.

However, this isn’t always the case for each user. View HSM’s essential GDPR guide to data protection and recommended security levels for a further understanding into the security levels on offer.

Organisations must begin GDPR protection by defining a security level that keeps them protected.

Selecting the right shredder

Determining the correct security level is just the first step when choosing your shredder.

The person involved in GDPR for your organisation, such as a data protection officer, needs to consider the appropriate security level, where as facilities managers will need to consider other practical factors. What size paper will you be putting into your shredder, A4, A3 or wide computer fed paper? How many pieces of paper will it need to shred in one pass? What size shredder is going to be most suitable based on the space available?

Bin volume must also be considered. Ideally your shredder should only need to be emptied once a day. An approximate measure is that 100 sheets of A4 paper shredded at a P-4 DIN level will typically take up around 8 litres of space. If you think your daily shred volume is around 1,000 sheets per day, your organisation will be better suited to a shredder with a bin size of at least 80-100 litres.

Additionally, key decision makers will need to know if a shredder is likely to be used for long periods of time. If so, it will need a continuous run motor which removes the frustration of your shredding overheating half-way through a job.

Essentially, offices should make a realistic estimate of the amount of use a shredder will have and consider the best solution before making the final decision.

Prepare now, save tomorrow.

The need to prepare for GDPR is vital and investing in a shredder is the right move for many UK organisations. Shredding with a well-designed in-house solution allows you the peace of mind of knowing that you’re shredding documents at the required level and destroying them immediately. Deciding on the right choice of shredders and locations, as part of an overall data protection plan, takes time and thought. Organisations need to be doing this work now rather than making last-minute panic buys when the time comes in May.

By preparing now, you would not only be protecting your organisation’s sensitive data, but also saving yourself stress tomorrow.

Many thanks to HSM UK for this article