Since the inception of the GDPR in May 2018, a strong emphasis has been put on the digital security of organisations – but, are we neglecting the paper-based documents that so many of our departments still use? Mark Harper, head of office technology at HSM (UK), illustrates the importance of remembering that GDPR goes beyond digital
It has now been over six months since the General Data Protection Regulation (GDPR) came into effect in May 2018. For some, this time has reinforced that the data security processes they have in place are, in fact, legitimate, but for many it has been a wake-up call.
As stories continue to emerge of data-related ‘slip ups’, it appears we’re still experiencing some GDPR teething problems. It is now more important than ever to reinforce the significance of protecting both digital and hard copies of confidential information in the correct way.
This applies to everyone. Those who are still unsure, or have already been reprimanded for non-compliance, need to redouble or rectify their efforts. Even the teams who are confident in their processes need to remain vigilant to ensure they don’t become complacent, reverting back to a lax view on data protection once more.
Negligence has already penalised so many, with one law firm claiming that there were 6,281 data breaches notified to the Information Commissioner’s Office (ICO) in the first 40 days after GDPR went live.
Beyond digital practices
It’s true that, as we gravitate towards a digital document utopia, sufficient focus should fall on digital security. Organisations are failing to remain compliant in this area and are falling victim to heavy fines. International healthcare group, Bupa, was recently fined £175,000 by the ICO after an employee was able to extract personal customer information and sell it on the dark web.
Yet, as the ICO explains, we should be looking beyond passwords in order to meet these new data protection laws. It’s not enough for organisations to focus solely on digital practices; GDPR goes further than digital security. Paper copies continue to remain a big part of our processes, which is why GDPR should be seen as a company-wide adjustment for information security as a whole; personal data can be misplaced and misused – whether it’s in encrypted databases or on paper copies.
For busy HR departments, it’s no exaggeration that paper normally comes in stacks, all in the form of employee records, payrolls, contact information and even medical information. One guide, produced specifically for HR departments, promotes the immediate disposal of non-compliant paperworkas one of the day-to-day changes data controllers should introduce. As part of this, shredding should be completed onsite, as soon as a document is no longer needed, and, cross-cut shredding is recommended as the best and safest course of action.The simple –to-implement mantra of ‘Shred all, shred where you work, shred now and shred little and often’ can be the real key to your organisation’s long-term paper document security.
Investing for a secure future
It’s becoming more commonplace for organisations to have an active data protection officer, whether in a full- or part-time role. While this isn’t a necessity, it is beneficial. Up until now, a lack of responsibility has contributed to the growing number of incidents that are leaving organisations with fines.
Appointing someone to take responsibility is just the first step; ensuring that the focus is split between both digital and hard copy data is the second. Not only should time and effort be put into bolstering cyber-security, other media types, such as paper documents – which are instantly recognisable and highly portable – should also be dealt with effectively.
However, in relation to hard copy information, especially, some opt for the quick and easy options which can, unfortunately, be counter-productive. Those approaches that are commonly viewed as the cheaper options – such as outsourcing and substandard shredding products, for example – can carry a heavy burden of insecurity and, while these solutions may seem to be an inexpensive resolution to your GDPR problems, they could cost more in the long run. As many have found out, outsourced shredding solutions are not always as secure as they claim – and cheaper shredding products are less reliable in the long run.
This quick-fix mentality is no longer acceptable for keeping confidential information secure. Leading your security efforts with a view of obtaining the cheapest solution can land your organisation in hot water; whether for digital or paper-based data, we can no longer afford for security to be a second thought.