All entities that collect and process personal data are required to protect that data from unauthorised access. The introduction of the GDPR aims to regulate the secure use, storage and disposal of personal data. Find out how the destruction of data stored on various media should take place in accordance with the current regulation.
The Data Protection Regulation has been in force since 25 May 2018 in all countries of the European Union. It aims to protect individuals in relation to the proliferation of database processing. The regulation regulates how companies and institutions can collect, transfer and dispose of the information collected. The regulations apply to all data carriers, both digital and physical.
Document destruction must result in the irreversible destruction of the media in such a way that sensitive data cannot be reconstructed. At this point, it is worth mentioning that the regulation does not precisely define the method of destruction itself.
According to the provisions of the GDPR, documents such as:
A company can be fined up to 4% of its annual revenue or up to €20 million for breaching the basic data protection principles or unlawfully sharing data. A fine of 2% of annual revenue or €10 million is in turn envisaged if deficiencies in protection systems are detected. In view of the financial consequences, as well as the potential consequences of leaking customer data, any entity processing personal data should comply with the principles of proper destruction of records.
According to Article 5 of the GDPR, documents with personal data may not be kept longer than necessary. A given entity may therefore only keep personal data for the period required to fulfil the purpose for which they were collected. However, the Regulation does not specify a maximum length of time for their storage. The information clause concerning the data processing shall not contain the information that the data shall be stored indefinitely. The controller shall be obliged to determine the time after which the data will be deleted.
A guideline for how long we should keep data may be other specific provisions. For example, Article 189g §1 of the Code of Administrative Procedure states that an administrative fine may not be imposed if 5 years have elapsed from the date of the breach of the law or the occurrence of the consequences of the breach of the law. On this basis, we can assume that we should keep data such as invoices and receipts in our company for 5 years. As a second example, let us use Article 94(9b) of the Labour Code. It indicates that employee records should be kept for the entire period of employment and for 10 years, counting from the end of the calendar year in which the employment relationship was terminated (unless other provisions stipulate otherwise).
If we want to dispose of the documentation, we can choose one of two options. The first is to use a specialised company. The second option is to purchase a shredder and shred it yourself. Smaller companies processing small volumes of documents most often opt for the latter option. In order to comply with the GDPR rules for this type of business, it is crucial that employees are trained in data protection regulations and that they purchase a shredder that provides an adequate level of security.
In contrast, institutions and companies that generate very large volumes of documents and media, numbering in the hundreds of kilos per month, often outsource this service. However, great care must be taken when choosing a contractor for this type of service. First of all, it is worth verifying that the company has equipment that guarantees document shredding in accordance with DIN 66399. It is also necessary to sign a data entrustment agreement to ensure that the company disposing of the documents has the technical and organisational means to meet the requirements of GDPR. Remember that we are responsible for the inadequate destruction of data records, not the company to which we have outsourced the service.
Let's move on to the requirements for shredders as set out in the aforementioned DIN 66399 standard. DIN 66399 lists three classes of data protection requirement. The first class relates to documents accessible to larger number of recipients. The second class relates to information intended for a narrow circle, which could have a significant negative impact on business if disclosed. The highest third class covers the most confidential data, the leakage of which could cause serious negative consequences for the company. If you want to destroy records in accordance with the requirements of the DPA, you should consider and which class of data you use in your business.
It goes on to define 7 security levels, which determine the maximum size of the cuttings that remain after the destruction of a given media. For example, a shredder with a security level of P-7 designed for top-secret data produces paper cuttings only up to 1 mm wide and with an area of no more than 5 mm2. Similar seven-grade scales have also been defined for magnetic media (e.g. magnetic stripe badges), electronic media (memory sticks or SSDs), optical media (CD/DVD and Blu-ray discs), film and microfilm, and HDDs.
Before choosing a particular shredding method, it is important to analyse the level of secrecy of the data that is processed by the entity in question. The aforementioned P-7 security grade shredder is mainly used in major corporations, banks, the military and other facilities that require maximum security. In the vast majority of offices, paper shredders with security levels P2 to P4 are perfectly adequate.
Old data media may not be reusable. Unfortunately, simply overwriting them is not always effective. Many commercial shredder models are equipped with a CD/DVD and Blu-ray destruction function. More specialised machines allow SSD and even HDD destruction. An excellent example is the OPUS dataPREDATOR shredder. If you have any doubts about choosing the right shredder for your business, please feel free to contact our experts.
