The branch that you searched for does not have a page in your preferred language. Would you like to visit the branch page on the #CODE# site?
Protect your business from an information breach with a regularly scheduled paper shredding service.
Boxes and filing cabinets stuffed with old documents? Get our one-off document destruction service.
Storing or just erasing obsolete hard drives could cost you millions in a data breach. Let us securely destroy your electronic data.
Confidential information can be found on more than paper: we destroy CD-ROMs, USB drives, and data tapes.
From uniforms to identity cards, speciality shredding destroys information wherever it’s found.
Help your business prepare for The General Data Protection Regulation (GDPR) with our GDPR Awareness workshop.
Get a Quote
Back To Resource Centre
Our focus in this newsletter is regulatory and legal compliance – an aspect of information security that is increasingly important, but still often overlooked, particularly by smaller organisations.
Regulatory and legal compliance are aspects of information security that are increasingly important, but are still often overlooked, particularly by smaller organisations. As a business decision-maker, you are probably aware of the negative consequences of information security breaches including: financial losses due to customer attrition, damaged reputation and costly fines and restitution.
Do you realise, however, that information security extends beyond sound business practices — it’s also your legal responsibility to eliminate the very conditions that may potentially lead to breaches?
In the UK and internationally, governments and regulators are now mandating that organisations of all sizes take responsibility for the security of their sensitive data. This newsletter explores what local laws require and what steps your company should take to ensure your clients, partners and
employees are legally compliant.
Your organisational growth and survival depend on an abundance of quality information. After all, we live in the “information age” where “big data” is being used by businesses and organisations to examine and analyse every area of our lives.
Your organisation produces and consumes fast amounts of information from clients, partners, employees and other stakeholders. Managing payroll, analysing cash flow, keeping track of suppliers, researching client profiles, data-mining for trends and collecting competitive intelligence are just a few of the data points you manage every day.
While this information and completing the associated tasks are critical to your success, the same pools of data can leave your organisation vulnerable. If this information is accessed by internal employees or individuals outside of the company with malicious intentions, this sensitive data represents a goldmine to them…and a huge risk to you.
“Unfortunately, individuals not bound by ethical constraints are capable of using easily-available information for illegitimate purposes,” says Robert Guice, Executive Vice President at Shred‑it. “Information theft, including identity theft, is a substantial and growing business these days. Criminals operating internationally extract handsome profits by exploiting organisations’ security vulnerabilities.”
Armed with a few key pieces of information such as a name, birth date, national insurance number and address, identity thieves can reconstruct and steal the information of your clients, employees, owners, partners and even your entire organisation. This stolen information is typically used for criminal gain through false loan applications, credit card fraud, bank account “skimming,” false insurance claims and more. Information security laws and regulations have been put in place for this very reason.
The primary piece of legislation with which most people will be at least somewhat familiar is the Data Protection Act of 1998 (DPA). In force since 2000, it is based on European law and was created to protect individuals’ personal data in the UK. Specifically, it addresses the fact that personal data may only be used for the purpose it was collected and cannot be disclosed to other parties without consent from the individual.
In regards to what the DPA means to your organisation’s data security, the Act’s seventh data protection principle states that you must have appropriate security to prevent personal data from being accidentally or deliberately compromised. In particular, organisations are required to:
Full details on the DPA and steps you can take to ensure compliance are available from the Information Commissioner’s Office (ICO) website ico.gov.uk.
In addition to the principles set out in the Act, the government is now doing more to promote the importance of data security. From April 2010, the ICO was given new powers, meaning that organisations that lose individuals’ personal data can face fines of up to £500,000. Previously, the ICO could only fine firms up to £5,000 for serious breaches of the Data Protection Act, so this represented a significant extension to its powers. To date, over £6 million in financial penalties have been issued to organisations found in breach of the DPA by the ICO, which should place information security firmly at the top of every organisation’s agenda.
In addition to the DPA, the Freedom of Information Act 2000 (FOIA), which came into force in January 2005, was designed to provide individuals with the right to request information held by or on behalf of public authorities. The FOIA defines public authorities as government departments, both Houses of Parliament, NHS hospitals, schools, universities, doctors’ surgeries and many others. Organisations covered under FOIA need to maintain records of each information request and follow the guidance set out in The Lord Chancellor’s Code of Practice on the Management of Records.
The FOIA also provides guidelines for the secure storage and destruction of records including:
In addition to government legislation, most industry sectors’ regulators, professional bodies and associations publish guidance on information security and data protection. Some also include data security arrangements in their auditing/inspection processes and have the power to impose penalties for non-compliance. Organisations therefore need to ensure that they are aware of regulations that affect their sector and that their policies and procedures are aligned with the relevant bodies.
Data protection legislation is currently the subject of review within Europe. The new proposals will strengthen individual rights and tackle the challenges of globalisation and new technologies. When the law changes, it will have a profound effect on businesses and organisations in the UK and it is likely they will need to review and amend their document retention and destruction policies to ensure compliance. More information on the proposed reforms can be found on the European Commission website — ec.europa.eu.
In spite of a constantly changing regulatory and legal landscape, one thing that will remain constant is the fact that preventing a breach is much easier and less costly than dealing with the potential repercussions that can ensue following a breach.
When thinking about your organisation’s information security, legal compliance is only the minimum necessary requirement. An organisation’s efforts to protect itself, its clients, employees and other stakeholders shouldn’t stop there. “Part of our job as an information security company is to consult organisations on what best practices and security strategies they should be implementing to become compliant,” says Robert Guice, Executive Vice-President at Shred-it. He continued, “Typically, there are several key strategy components we recommend to each client. One of them is that they should always opt for information destruction methods that meet or exceed all national compliance standards. Another key recommendation is to have an organisation-wide policy in place that stipulates how company employees should go about the disposal of their paper waste. The ultimate goal is to create a culture of total security, with zero tolerance not only of security breaches, but also to the existence of the very conditions that make them possible.”
To help ensure full compliance with the privacy legislation that governs your industry, here are some suggested steps:
To learn more about complying with data protection and information security legislation visit: shredit.co.uk/resource-centre.
You can also book a FREE Data Security Survey with a trained Shred-it representative to help you uncover potential risks in your current secure destruction processes.
Stay informed with Shred-it on Facebook and Linkedin or follow us on Twitter @Shredit_UK.
Fill out the form or call 0800 197 1164 to start protecting your business today!