Is the UK choosing the correct GDPR solution?


With GDPR introducing new regulations in May, many businesses have started to make the necessary strides towards compliance.

Questions can be raised as to whether UK businesses are preparing in the right way. This uncertainty could lead to compliance issues when the data protection rules change. It’s time for the UK to educate itself.

Every organisation in the UK should now be preparing for GDPR, if they haven’t already done so.

Research in November 2017 recorded that only 1 in 5 large businesses in the UK were ready for GDPR.

On first sight of this, an initial ‘panic-stricken’ reaction is justified. However, what must be considered is the amount of time it takes organisations to put their processes in place.

At the time, the report documented that 4 in 10 businesses had a detailed GDPR compliance plan in place. This figure is likely to have increased as we enter 2018 with businesses continuing to put processes in place.  

Starting with the best form of defence.

Shredding should be one of the key components of an organisation’s plan for remaining GDPR compliant.

However, many organisations still believe that external shredding services may be their best option, which isn’t necessarily the case.

Subcontracting is seemingly the easy option for some, with shredding being taken off-site for someone else to deal with. Yet, what is commonly forgotten are the question marks above off-site cost effectiveness and security levels.

Investing in in-house shredding removes those questions about cost effectiveness and worries over the security levels of your shredding. An in-house solution can be up to 80% cheaper to operate over a five-year period compared to a third-party shredding service.

Not only this, but your organisation then has peace of mind knowing that you’re shredding in-house at the point of need at a level that really keeps your data secure. All positives, but first, you must identify your required shredding security level - defined by a DIN level scale.


DIN 66399 Security Levels – Better safe than sorry

Organisations employing a shred-on-site strategy need to decide on the appropriate level of security for their requirements.  Defined by the DIN 66399 standard, there is a simple 7 level scale, with security level P-1 recommended for ensuring low level documents are illegible and level P-7 being classed as military grade protection, turning paper into the tiniest of particles.

Generally, HSM recommend most organisations use a minimum-security level of P-4 for general office shredding to ensure protection from potential breaches, whilst P-5 is more suitable for highly sensitive HR or Finance documents.

However, this isn’t always the case for each user. View HSM’s essential GDPR guide to data protection and recommended security levels for a further understanding into the security levels on offer.

Selecting the right shredder

Determining the correct security level is just the first step when choosing your shredder.

As data protection officers consider the appropriate security level, facilities managers need to consider other practical factors.

What size paper will you be putting into your shredder? How many pieces of paper will it need to shred in one pass? What size shredder is going to be most suitable based on the space available?

Bin volume must also be considered. Ideally your shredder should only need to be emptied once a day. An approximate measure is that 100 sheets of A4 paper shredded at a P-4 DIN level will typically take up around 8 litres of space.

Additionally, key decision makers will need to know if a shredder is likely to be used for long periods of time. If so, it will need a continuous run motor.

Essentially, offices should make a realistic estimate of the amount of use a shredder will have and consider the best solution before making the final decision.

Prepare Now, Save Tomorrow.

The need to prepare for GDPR is vital and investing in a well-designed, in-house shredder is the right move for many UK organisations.

Deciding on the right choice of shredders and locations, as part of an overall data protection plan, takes time and thought.

By preparing now, you would not only be protecting your organisation’s sensitive data, but also saving yourself stress tomorrow.