Since the inception of the GDPR in May, a strong emphasis has been put on the digital security of organisations. Yet, should we be neglecting the paper-based documents that so many of our departments still use? Mark Harper, head of office technology at HSM, illustrates the importance of remembering that GDPR goes beyond digital
It has now been over six months since the General Data Protection Regulation (GDPR) came into effect in May 2018. For some, this year has reinforced that the data security processes they have in place are in fact legitimate, but for many it has been a wake-up call.
As stories continue to emerge of data related ‘slip ups’, it appears we’re still experiencing some GDPR teething problems. It is now more important than ever to reinforce the significance of protecting both digital and hard copies of confidential information in the correct way.
This applies to everyone. Those who are still unsure or have already been reprimanded for non-compliance need to rectify their efforts. Even the teams who are confident in their processes need to remain vigilant to ensure they don’t become complacent, reverting back to a lax view on data protection once more.
Negligence has already penalised so many, with one law firm claiming that there were 6,281 data breaches notified to the ICO in the first 40 days after GDPR went live.
Beyond digital practices
It’s true that as we gravitate towards a digital document utopia, sufficient focus should fall on digital security. Organisations are failing to remain compliant in this area and are falling victim to heavy fines. International healthcare group, Bupa, was recently fined £175,000 by the Information Commissioner’s Office (ICO) after an employee was able to extract personal customer information and sell it on the dark web.
Yet, as the ICO exclaims, we should be looking beyond passwords in order to meet these new data protection laws. It’s not enough for organisations to focus solely on digital practices. GDPR goes further than digital security. Paper copies continue to remain part of our processes which is why it should instead be seen as a companywide adjustment for information security as a whole. Personal data can be misplaced and misused whether it’s encrypted databases or paper copies.
For busy HR departments, it’s no exaggeration that paper normally comes in stacks, all in the form of employee records, payrolls, contact information and even medical information, to name a few. One guide produced specifically for HR departments promotes the immediate disposal of non-compliant paperwork as one of the day-to-day changes data controllers should introduce. With this, shredding should be completed on site, as soon as a document is no longer needed. And for this, cross cut shredding is recommended as the best course of action. A simple implemented mantra of ‘shred all’, ‘shred where you work’, ‘shred now’ and ‘shred little and often’ can be the real key to your organisation’s long-term paper document security.
Investing for a secure future
Almost 10,000 patient records were lost or stolen from NHS trusts last year – leading to subsequent fines. These incidents happened within 68 separate trusts across the country, proving that this wasn’t just an anomaly. It would appear that the NHS, like many, was lacking accountability for its data security. To tighten patient security the NHS has since published a set of good practice guidelines with information on how to clear hard disk drives and how paper based information should be cross cut. As referenced in their guidelines, strip cut or low security shredding is no longer suitable in the effort to sustain compliance. Instead, data coordinators are asked to destroy documents containing patient identifiable data on site to a minimum of 4x15mm cross cut – which effectively means using a P-5 security level.
It’s also becoming more commonplace for organisations to have an active data protection officer, whether in a full or part-time role. While this isn’t a necessity, it is beneficial. Up until now, a lack of responsibility has contributed to the growing number of incidents that are leaving organisations with fines, such as with the NHS.
Appointing someone to take responsibility is just the first step. Ensuring focus is split between both digital and hard copy data is the second. Not only should time and effort be put into bolstering cyber security but also other media types such as paper documents, which are instantly recognisable and highly portable.
However, with hard copies of information especially, some opt for the quick and easy options, which can be unfortunately counterproductive. Those that are commonly viewed as the cheaper options (outsourcing and substandard shredding products) can carry a heavy burden of insecurity and, while these solutions can seem to be an inexpensive resolution to your GDPR problems, they could cost more in the long run. As many have found out, outsourced shredding solutions are not always as secure as they claim, and cheaper shredding products are less reliable in the long run.
This quick fix mentality is no longer suitable for keeping confidential information secure. Leading your security efforts with a view of obtaining the cheapest solution can land your organisation in hot water. Whether for digital or paper-based data, we can no longer afford for security to be a second thought.
Don’t forget to follow Dealer Support on Twitter!