Personal documents – data protection also applies to disposal
The EU General Data Protection Regulation of 2018 poses great challenges for companies, but they are also associated with opportunities. In particular, respect for personal data can mean a great image gain, which gives customers and suppliers a good and secure feeling. However, there are also areas that are neglected in some companies, but whose importance in terms of data protection is to be rated as very high. This area includes dealing with the destruction of personal documents.
If documents or storage media are not properly disposed of or destroyed, frightening individual cases can be found in the press. A social counseling center in Berlin had disposed of reports on mental illness and the identified need for care in connection with personal data in the residual waste - used hard drives from the authorities were offered on sales platforms with highly sensitive data.
The consequences are a significant loss of trust and possible sanctions!
Personal documents – companies must pay attention to this
The new General Data Protection Regulation (GDPR) regulates the handling of data and information containing personal data. The collection, storage and further use of the data is subject to rules, the disregard of which can result in fines and a loss of image. But compliance with the GDPR is not only an important factor in day-to-day business, because further handling of data deletion and destruction is also clearly regulated. Not only the digital data must be securely deleted - also paper documents, which must contain personal data and are subject, like the electronic data, to the GDPR.
What are the requirements for document destruction?
The destruction of documents in companies is subject to the security levels of DIN 66399. For the company, this means that there is a regulation that prescribes the type of shredding of the documents and thus ensures legal security. The minimum size of the shredded particles in the documents determines the security level that a shredder or document shredder must have in order to meet the requirements of the GDPR. The DIN is stated on the document shredders. The security levels also specify what type of data is involved and how it is handled. 3 levels are defined here - the first level stands for general data, while level 3 describes secret data.
Looking at the individual stages, the GDPR provides the following subdivisions:
Level 1 – internal company data (product overviews, flyers...)
Level 2 - confidential data (personal data, accounting documents, tax, balance sheets...)
Level 3 - secret data (patient data, health data, research information...)
If security level 3 documents are to be destroyed, it must be ensured that the documents cannot be reproduced or can only be reproduced with considerable effort.
What role does a data protection officer play in document destruction?
If more than nine employees work in a company and have access to personal data, an internal or external data protection officer must be appointed. The data protection officer therefore also has the task of ensuring that files are destroyed properly and in accordance with the law. The data protection officer must decide whether an external service provider will be commissioned to carry out the legally compliant document destruction, or whether all the prescribed processes will be observed internally.
The external disposal of files
A professional service provider has advantages for companies, since the files must be destroyed in accordance with the law and compliance with data protection guidelines is therefore ensured. Highly sensitive data can only be processed through an expensive document shredder - this purchase is not necessary.
The workforce in particular will welcome the use of an external service provider, as this also offers consulting services and unclear cases can therefore be clarified directly through official channels. Helpful support can be offered here, especially when it comes to classification into the various security levels. At the same time, the files can also be handed in in their original form and there is no need to laboriously staple out the individual sheets.
Destruction of digital storage media
Companies work with storage media, which in many cases contain sensitive data. Examples include USB sticks, DVDs and CDs, hard drives and smartphones.
Please note: Some printers are also able to save personal data, which must be deleted!
Storage media on which sensitive data is stored are often no longer used and can be disposed of. Unfortunately, a final deletion of the data is not possible at all, since computer professionals can also restore deleted data and thus gain access to personal data. The storage media must therefore be completely destroyed. A document shredder with the appropriate security level is required here. Another safe way to destroy data carriers is to have a professional service provider carry out data carrier destruction according to DIN 66399.
Deleting personal data - the implementation
If a consumer asks a company to delete their personal data, a company must take a number of steps to ensure a legally secure process. If there is no deletion concept here, fines and a loss of image can result.
- without a concept, erroneous data may be deleted.
- if data is used in different systems, erroneous deletion can obscure connections and the data quality suffers.
- If the deletion is not carried out, there is a risk of a fine.
- if documents are deleted that are still subject to the statutory retention periods, there are consequences.
For these reasons, a company should delete personal data according to a data protection-compliant concept.
A data protection-compliant deletion process includes the following steps:
- the processing of personal data must be fully identified
- In order to carry out a clean deletion process, all data and categories must be recorded and all retention periods must be observed. Without this foundation, a company cannot securely erase data.
- if the deletion process is to be carried out, all systems and interfaces involved must be specified. Without having identified the systems and data flows, no exact deletion process is possible. This point is usually underestimated, but since one finds grown IT systems in companies and authorities, this work step is to be evaluated as complex.
- in order to carry out a deletion process successfully and legally secure, proof of the completed deletion must be available.