While all business owners and managers know that personal information must be securely destroyed, many fail to appreciate the need to demonstrate that their information destruction process is consistent and systematic.
Why Office Shredders Don’t Cut It
In order to meet the legal requirement to protect employees’ and customers’ personal information, many organizations buy a shredder. Staff are then told to use that shredder to destroy anything confidential. If staff are too busy, they are expected to accumulate the materials, or maybe the documents are stacked next to the shredder so another staff member can shred them.
For the time being. Let’s set aside the fact that the shredder often breaks, or that the cleaners might throw out sensitive materials that build up, or that some employees are not going to be diligent about the process. For now, let’s not worry about all those points of probable failure.
Let’s focus instead on the absence of any demonstrable audit trail that shows that data destruction was actually performed. In that regard, even if everything went as planned, even if all the many possible points of failure didn’t come to pass, there is still no record of a consistent, ongoing, systematic destruction process.
If, at any point, something turns up, or regulators have a reason to question data security compliance, there is nothing to show them. Pointing to a small shredder in the supply room is likely to do more harm than good, precisely because of all the previously mentioned weaknesses.
Everyone knows that data protection compliance requirements are strengthening. And, while stiffer fines, class action lawsuits and expensive data breach notification are the tip of that spear, one of the lesser-known requirements is that organizations must now be able to demonstrate their compliance. Even though an organization may be doing the right thing, they are deemed non-compliant if they cannot show clear evidence to regulators that they are.
If an organization is committed to destroying discarded records internally, the collection and destruction process needs to be much more formal. This includes internal accountability, written policies and procedures, employee training, logging of destruction events, including times/dates/methods, a record of the employees involved, and a general description of what is destroyed.
This not only documents the event and process, more importantly it creates a body of documentation demonstrating to authorities that there is a formal, systematic process in place.
The other solution is to use Shred Vault. Not only is it less expensive than in-house destruction, but the process inherently includes the type of legacy evidence that regulators require.
The fact that Shred Vault is less expensive, more convenient and more secure only makes it that much more attractive.
© 2023 Shred Vault, LLC – All Rights Reserved
This content may not be reproduced, posted, linked or distributed, in whole or in part, without the expressed written permission of Shred Vault, LLC.