Protecting discarded sensitive media is Shred Vault’s sole focus and mission. It’s our superpower. And because it’s our superpower, our clients are free to focus on their superpowers without worrying.
Unfortunately, however, organizations that don’t know what to look for in a secure destruction service become susceptible to vendors who are more than happy to capitalize on that fact. This might not be such a serious issue if we were talking about any other type of services. But, at a time when data protection and privacy are subject to increasingly intense regulatory action, public scrutiny and seven-figure penalties, organizations can get in serious trouble from selecting service providers that don’t measure up.
With that in mind, we offer the following list of issues and questions every client should ask when hiring a company to shred their old documents or recycle their decommissioned computers.
And these questions are more than just academic. When it comes to data security and privacy regulations, clients are responsible for the mistakes of their service providers and, therefore, they risk severe consequences from making an uninformed decision.
Data Privacy and Compliance/DPO
Does the service provider have a qualified Data Protection Officer? Many service providers assign that title to an unqualified employee. Worse than being inadequate, the appointment of unqualified DPO is intentionally deceptive. The truth is that very few secure destruction services assign the role to a dedicated professional with the experience and credentials to ensure that they comply with all relevant regulations (e.g., HIPAA, GDPR, FACTA, PIPEDA, CPRA).
Note: This “qualified DPO” requirement IS NOT currently validated by any of the prevailing industry certifications.
Written Policies and Procedures
Does the secure data destruction service provider have comprehensive written policies and procedures that are aligned with regulatory requirements against which all employees are trained and to which the service provider is contractually bound? A suitably comprehensive document would not only necessarily deal with issues listed here, but also address other issues such as access control, care and custody, quality control, and destruction methodology.
Screening and Training of Employees
Does the service provider conduct thorough background screening, rejecting applicants with a known history of criminal activity, and are all employees thoroughly trained in accordance with global regulatory requirements? Do employees execute specific agreements, attesting to their understanding of the policies and procedures and their obligation to prevent and report unauthorized access to client information?
Responsible Disposal of Destroyed Materials
Are destroyed materials recycled in a manner that is both secure and environmentally compliant? For instance, shredded paper is sometimes used as packing materials or animal bedding, both of which are unsecure. Microfilm and electronic media contain harmful materials that should not be placed in the landfill.
Data Breach Response & Data Subject Requests
Does the service provider overtly agree to comply with its data breach incident response and reporting requirements, as well as its obligations to inform data subjects of their rights and methodology for pursuing those rights?
As you may have guessed, Shred Vault checks all the boxes. We do so not only because we take our responsibility seriously, but also because we understand that our clients are put at risk if we don’t.
Contact us today for more about the many ways by which Shred Vault can help you meet your document and electronic media disposal requirements, keeping your organization, its customers, and its employees safe and compliant.