The Seven Ps. (photo: )
The Seven Ps.
16.04.2019, 12:08

Document Shredding and GDPR

White Papers & Briefings, EMEA, Data Security
Despite a global increase in document shredder sales since the introduction of GDPR, HSM's Mark Harper says data handlers need to align the destruction of confidential documents more closely with EU standard DIN 66399.


Almost a year on from the introduction of GDPR, the number of home and office shredders sales has risen on a global scale. Expectedly, the rise in sales can be linked to renewed interest in data protection as a consequence of the European Union's GDPR regulation update in May 2018.


Yet, even organisations that acquire shredders and other solutions to protect the security of confidential documents may still fall foul of compliance requirements, as a result of their poor knowledge of official security standards that apply to the destruction of confidential data.


International security standards

Since 2012, the processes for shredding data carriers have been regulated by the EU’s DIN standard 66399. These security standards are designed to provide transparency and clarity for data handlers in their efforts to securely dispose of sensitive and confidential data.


Following GDPR, the standards were internationalised in August 2018 and are now governed by the International Organization for Standardization (ISO).



Different levels, different users

Home and office shredders are designed to cut paper into particles that coincide with the international security standards. With this in mind, shredding sensitive data at an incorrect or unknown level can nearly be just as detrimental as not shredding at all. Data handlers need to understand two key factors of document security - which security level each area of their organisation needs to be shredding at and what security level their shredders are cutting at.


The seven security levels, outlined by the ISO, are as follows:

P-1 & P-2

Security levels known as P-1 & P-2 are the lowest security levels available, with documents being ‘destroyed’ using strip-cut devices. Strip-cut paper waste is typically large, with many single sheets being cut down to around 20-50 strips only - depending on the width of the cut.


Because of this, there is a possibility for shredded documents to be reconstructed (particularly if waste is produced in small quantities). This level of shredding is not commonly used outside of the home and does not cover the security that many data handlers need. Even documents that can be commonly found in the home (e.g. bank statements and bills) are at risk when using strip-cut devices. The lowest levels of security still provide the highest degree of risk.



The P-3 security level is a lower security cross-cut shred and is mostly used in smaller personal shredders. Whilst certainly more secure than strip-cut, it is at the lower end of security for shredding personal information.


Whilst it’s true that paper documents will benefit from the additional security that P-3 cross-cut provides, there is still a risk of reconstruction, especially when in small quantities.


P-4 & P-5

Also cross-cut solutions, both the P-4 & P-5 levels are most suited for use within conventional commercial environments. The use of cross-cut mechanisms enable data handlers to destroy paper documents at a level where reconstruction is near impossible.


Suited to general office shredding, at a P-4 level, shredders are typically capable of producing over 400 pieces per A4 page – a far cry from what is produced at P-1 and P-2.


For those dealing with highly sensitive personal data or commercial data, such as HR departments, finance and commercial outlets that regularly handle customer information, P-5 is a suitable security level. According to the Centre for Protection of National Infrastructure, part of the Home Office, destruction of anything below a P-5 level is suitable for shredding classified documents within government facilities. At P-5, documents are cut to produce around 2,200 pieces, giving a staggering potential of 19.5 million reconstruction possibilities per page.


P-6 & P-7

The highest of all security levels, P-6 and P-7 both destroy documents to a state where reconstruction is impossible via any current method.


Used at government levels and spanning to military forces, police HQs and security services, these levels of security are used for ‘Top Secret’ documentation. Although P-6 and P-7 levels are seen as the most secure and effective way of destroying confidential documents, they are not commonly needed for anything below the very highest-level confidential documents.



Knowledge is key

These international security standards have been put in place for good reason. You only have to look into some of the fines issued by the Information Commissioner’s Office in the United Kingdom to see what happens when they’re not followed correctly.


No longer can we be under the illusion that owning a shredding solution is enough. When it comes to data protection, it’s just as important to understand and implement appropriate security levels as it is using a shredding solution. You must educate your organisation to protect your data.






Article rating:

vote data

Leave a reply

Rushmore Primary School. (photo: )
Delta Security  - 12.02.2019, 08:07

Delta Secures a Local Primary School

UK high-security specialist Delta Security has installed a sophisticated 1080p HD CCTV system at the Rushmore Primary School in Hackney.

The Bridges Shopping Centre in Sunderland. (photo: Bowman Riley Architects)
FM Editor  - 15.04.2019, 10:47

OCS Achieves Success at Revo ACE Awards

OCS UK has been named "Top Scoring Service Supplier 2019" at this year's Revo ACE Awards which celebrate retail destinations and people that deliver a consistently positive experience for customers.

 (photo: )
FM Editor  - 01.05.2019, 09:05

Future-Orienting Building Systems

A new BACnet/IP automation station from Sauter interfaces with common field bus protocols, the IoT and Cloud storage solutions to facilitate the control of critical building systems.

 (photo: )
Timothy Connor  - 16.12.2019, 11:41

Planning for the Future of Data Centers

Tim Connor, Principal at Chicago and London based Sheehan Nagle Hartray Architects (SNHA), addresses the facilities management requirements of hyperscale data centers.

 (photo: )
FM Editor  - 18.12.2019, 16:08

The Drains of Christmas Future

UK wastewater and drainage solutions provider Lanes Group has reimagined "A Christmas Carol" into a story about the importance of clean drains.

 (photo: )
FM Editor  - 18.12.2019, 13:27

University of Manchester Clean Room Contract

SPIE UK has won an 18-month design, supply, install and commission contract for a clean room at The University of Manchester, as part of a new build being constructed by Balfour Beatty.

 (photo: )
FM Editor  - 16.12.2019, 13:38

Divestment of ISS Hygiène et Prévention

ISS has completed a divestment of ISS Hygiène et Prévention in France to Weinberg Capital Partners after entering into exclusive negotiations on 6 September.