Document Shredding and GDPR
Despite a global increase in document shredder sales since the introduction of GDPR, HSM’s Mark Harper says data handlers need to align the destruction of confidential documents more closely with EU standard DIN 66399.
Almost a year on from the introduction of GDPR, the number of home and office shredders sales has risen on a global scale. Expectedly, the rise in sales can be linked to renewed interest in data protection as a consequence of the European Union’s GDPR regulation update in May 2018.
Yet, even organisations that acquire shredders and other solutions to protect the security of confidential documents may still fall foul of compliance requirements, as a result of their poor knowledge of official security standards that apply to the destruction of confidential data.
International security standards
Since 2012, the processes for shredding data carriers have been regulated by the EU’s DIN standard 66399. These security standards are designed to provide transparency and clarity for data handlers in their efforts to securely dispose of sensitive and confidential data.
Following GDPR, the standards were internationalised in August 2018 and are now governed by the International Organization for Standardization (ISO).
Different levels, different users
Home and office shredders are designed to cut paper into particles that coincide with the international security standards. With this in mind, shredding sensitive data at an incorrect or unknown level can nearly be just as detrimental as not shredding at all. Data handlers need to understand two key factors of document security – which security level each area of their organisation needs to be shredding at and what security level their shredders are cutting at.
The seven security levels, outlined by the ISO, are as follows:
P-1 & P-2
Security levels known as P-1 & P-2 are the lowest security levels available, with documents being ‘destroyed’ using strip-cut devices. Strip-cut paper waste is typically large, with many single sheets being cut down to around 20-50 strips only – depending on the width of the cut.
Because of this, there is a possibility for shredded documents to be reconstructed (particularly if waste is produced in small quantities). This level of shredding is not commonly used outside of the home and does not cover the security that many data handlers need. Even documents that can be commonly found in the home (e.g. bank statements and bills) are at risk when using strip-cut devices. The lowest levels of security still provide the highest degree of risk.
The P-3 security level is a lower security cross-cut shred and is mostly used in smaller personal shredders. Whilst certainly more secure than strip-cut, it is at the lower end of security for shredding personal information.
Whilst it’s true that paper documents will benefit from the additional security that P-3 cross-cut provides, there is still a risk of reconstruction, especially when in small quantities.
P-4 & P-5
Also cross-cut solutions, both the P-4 & P-5 levels are most suited for use within conventional commercial environments. The use of cross-cut mechanisms enable data handlers to destroy paper documents at a level where reconstruction is near impossible.
Suited to general office shredding, at a P-4 level, shredders are typically capable of producing over 400 pieces per A4 page – a far cry from what is produced at P-1 and P-2.
For those dealing with highly sensitive personal data or commercial data, such as HR departments, finance and commercial outlets that regularly handle customer information, P-5 is a suitable security level. According to the Centre for Protection of National Infrastructure, part of the Home Office, destruction of anything below a P-5 level is suitable for shredding classified documents within government facilities. At P-5, documents are cut to produce around 2,200 pieces, giving a staggering potential of 19.5 million reconstruction possibilities per page.
P-6 & P-7
The highest of all security levels, P-6 and P-7 both destroy documents to a state where reconstruction is impossible via any current method.
Used at government levels and spanning to military forces, police HQs and security services, these levels of security are used for ‘Top Secret’ documentation. Although P-6 and P-7 levels are seen as the most secure and effective way of destroying confidential documents, they are not commonly needed for anything below the very highest-level confidential documents.
Knowledge is key
These international security standards have been put in place for good reason. You only have to look into some of the fines issued by the Information Commissioner’s Office in the United Kingdom to see what happens when they’re not followed correctly.
No longer can we be under the illusion that owning a shredding solution is enough. When it comes to data protection, it’s just as important to understand and implement appropriate security levels as it is using a shredding solution. You must educate your organisation to protect your data.