Meeting the Requirements of the GDPR: Going Beyond Digital

Since the European Union’s inception of the General Data Protection Regulation (GDPR) in May, a strong emphasis has been placed on the digital security of organisations. However, should organisations be neglecting the paper-based documents upon which so many departments still depend? Mark Harper illustrates the importance of remembering that the GDPR goes beyond digital.

It has now been over six months since the GDPR came into effect. For some, this year has reinforced the notion that the data security processes they have in place are, in fact, legitimate. For many, however, the GDPR has proven to be something of a wake-up call.

As stories continue to emerge of data-related ‘slip ups’, it appears that we’re still experiencing some GDPR teething problems. It’s now more important than ever to reinforce the significance of protecting both digital and hard copies of confidential information in the correct way.

This ‘rule’ applies to everyone. Those who are still unsure or have already been reprimanded for non-compliance need to address their efforts. Even the teams who are confident in their processes need to remain vigilant to ensure they don’t become complacent and revert to a lax view on data protection.

Negligence has already penalised so many, with one law firm recently claiming that there were 6,281 data breaches notified to the Information Commissioner’s in the first 40 days after the GDPR went live.

Beyond digital practices

It’s true that, as we gravitate towards a digital document ‘utopia’, sufficient focus should fall on digital security. Organisations are failing to remain compliant in this area and are falling victim to heavy fines. International healthcare group Bupa was recently fined £175,000 by the ICO after an employee was able to extract personal customer information and sell it on The Dark Web.

Yet, as the ICO exclaims, we should be looking beyond passwords in order to meet these new data protection laws. It’s simply not enough for organisations to focus solely on digital practices. The GDPR goes further than digital security. Paper copies continue to remain part of our processes which is why it should instead be seen as a company-wide adjustment for information security as a whole. Personal data can be misplaced and misused whether it’s housed on encrypted databases or stored in paper copy format.

For busy Human Resources (HR) Departments, it’s no exaggeration that paper normally comes in stacks, all in the form of employee records, payrolls, contact information and even medical information, etc. One guide produced specifically for HR Departments promotes the immediate disposal of non-compliant paperwork as one of the day-to-day changes data controllers should introduce. With this in mind, shredding should be completed on site as soon as a document is no longer needed. For this, cross-cut shredding is recommended as the best course of action.

A simple mantra of “Shred All”, “Shred Where You Work”, Shred Now” and “Shred Little and Often” can be the real key to your organisation’s long-term paper document security. 

Investing for a secure future

Almost 10,000 patient records were lost or stolen from NHS Trusts last year leading to subsequent fines. These incidents happened within 68 separate NHS Trusts across the country, proving that this wasn’t just an anomaly. It would appear that, like many organisations, the NHS was lacking accountability for its data security.

To tighten patient security, the NHS has since published a set of good practice guidelines with information on how to clear hard disk drives and how paper-based information should be cross-cut. As referenced in its guidelines, strip cut or low security shredding is no longer suitable in the effort to sustain compliance. Instead, data co-ordinators are asked to destroy documents containing patient identifiable data on site to a minimum of 4 x 15 mm cross-cut (which effectively means using a P-5 security level).

It’s also becoming more commonplace for organisations to have an active data protection officer in place, whether that be in a full or part-time role. While this isn’t a necessity, it is beneficial. Up until now, a lack of responsibility has contributed to the growing number of incidents that are leaving organisations to deal with hefty fines.

Appointing someone to take responsibility is just the first step. Ensuring that their focus is split between both digital and hard copy data is the second. Not only should time and effort be put into bolstering cyber security, but also other media types such as paper documents, which are instantly recognisable and highly portable.

In terms of hard copies of information especially, some opt for the quick and easy options which can be counterproductive. Those that are commonly viewed as the cheaper options (outsourcing and sub-standard shredding products) can carry a heavy burden of insecurity and, while these solutions may seem to be an inexpensive resolution to your GDPR problems, they could cost more in the long run.

As many have found out to their cost, outsourced shredding solutions are not always as secure as they claim, while cheaper shredding products are less reliable in the long run.

This ‘quick fix’ mentality is no longer suitable for keeping confidential information secure. Leading your security efforts with a view towards obtaining the cheapest solution can land your organisation in hot water. Whether for digital or paper-based data, security can no longer be an afterthought.

Mark Harper is Head of Office Technology at HSM

Sources

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/bupa-fined-175-000-for-systemic-data-protection-failures/

https://www.out-law.com/en/articles/2018/november/gdpr-companies-passwords-ico/

https://www.personneltoday.com/hr/gdpr-compliance-cheat-sheet-for-hr-departments/

http://www.nationalhealthexecutive.com/News/nhs-trusts-lost-almost-10000-patient-records-last-year/209347

https://digital.nhs.uk/services/data-and-cyber-security-protecting-information-and-data-in-health-and-care/cyber-and-data-security-policy-and-good-practice-in-health-and-care/sanitisation-reuse-disposal-and-destruction-of-electronic-media-guidance-for-health-and-care-organisations/destruction-and-disposal-of-sensitive-data-good-practice-guidelines#overview-of-data-media-types

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts