Is it time to declutter your office?

Messy Desk

A cluttered office can negatively influence the drive and productivity of employees. Disorder also means that confidential information will be exposed very simply by just being left out where anyone can see.

An orderly office can actually enhance employee productivity as employees should feel more confident and in control.

Here are some tips to declutter your office space and better safeguard confidential data:

  1. Allocate specific space for personal items such as bags/coats etc. 
  2. Clear your desk and only have the absolute necessities for your workday within reach.
  3. Declutter by asking the question “Does this have a use?” and be brutal. If it does not have a specific reason to be there then clear it from your space.
  4. Do not stockpile items such as hard drives etc. When you get a new hard drive, destroy the old one.
  5. Have a specific place for incoming documents that require processing. Paper trays are useful for this.
  6. Organise all digital data into folders and categories too, a cluttered computer can be just as stressful as a desk full of papers.
  7. Schedule in a regular shredding service or request on demand shredding depending on how much paperwork builds up and how regularly.
  8. Sticky notes are super handy and I have to admit I use them all the time however where possible digital reminders for events and notes are tidier and more secure.
  9. Where possible convert your documents to digital format and put paper into protected consoles for secure destruction or locked filing cabinets when it is necessary to keep them.

Some People do thrive in the chaos and clutter however, most would say that a clean working environment equates to a tidy mind. Not only that, it is also safer for the protection of information within your company.

CCTV & GDPR

CCTV data destruction services

When we think of GDPR data protection, most of us have a tendency to consider organisations retaining specifics, such as our name, date of birth, address, financial details etc. But there is a manner of attaining data that is so prevalent we scarcely notice it anymore – CCTV.

If your company makes use of CCTV, you must know that the images compiled are categorised as personal data and subject to GDPR data protection regulations. In order to be GDPR compliant you need to have a clear policy stating the reasoning behind it, security, risk of theft etc. People need to be aware they are being recorded on CCTV so it is necessary to place signs in areas that are observed with CCTV.

Your policy should also include how long you intend to keep the footage for which is generally accepted as 30 days. If you need to keep it longer your policy will need to include why it is necessary for it to be kept this long. Here you can find detailed information on the code of practice for CCTV.

Eventually it will be necessary to delete old footage, your system will most likely have a setting that will auto delete over a number of days depending on what you set it to. However, if you decide to upgrade your entire system your hard drives will need to be destroyed as data can be recoverable long after it is deleted and removed from your system. This can be detrimental to your compliance with GDPR. I would recommend the use of data destruction services. Here at ‘Security in Shredding’ items received for destroying data are logged on our asset tracking software; our clients receive a comprehensive report during the invoicing stage in order for complete traceability. This will allow you peace of mind and keep your business at the highest standard of security and compliance.

4 Steps to Avoid Mistakes in Physical Data Management

Recently we have been discussing in detail the risks associated with digital devices and cyber security however physical documentation needs to be secure too and there are some measures you can put in place to ensure this is paramount.

Files

1.      Index your files

The majority of the files that your business will gather over time may never even be used or accessed after a certain length of time. Having an indexing system in place will allow you to keep track of each and every document, when they are received and what purpose they serve for the company. It will be convenient for finding and accessing documents efficiently.

2.      Retention & Disposal Schedules

Included with your indexing system you can schedule each documents lifespan. The recommended maximum time to keep most documentation is seven years however this will depend on the individual document. Therefore, when you index each file add an end date. It will allow you to quickly find anything you need. It will also assist you in removing the clutter of documents you no longer need and keep you compliant with the ‘EU General Data Protection Regulation’ (GDPR)

3.      Storage

Use document storage boxes which are secure and locked. Taking all of these precautions and then having a filing cabinet which is open and accessible to anyone and everyone will just undermine any security measures you have put in place.

4.      Shredding

Last but not least is your method of destruction once your documents have reached their use by date. You will need to decide what kind of service best suits you; onsite shredding or offsite shredding. Having your secure paper shredding service scheduled regularly can be convenient. Just contact us and we can discuss what option would suit you best.

Shredded Paper

Getting Ready for 2020

2020 is fast approaching. Rather than leaving things to the last minute, now is the time to begin your end of year clear-out. What needs to be shredded and what needs to be kept in storage? As a general rule, older archives past the 7-year date mark should be destroyed. This whole process can be overwhelming and time consuming however in order to keep the procedure as time efficient and simple as possible there are a few questions you should ask yourself.

Office Documents in Boxes
  • What is the type of data?
  • Why do you have it? Do you really need it? Is it easy to get that information again if you need it down the line?
  • Where is it kept? Is it kept in filing cabinets? Or is it digitally saved?
  • When was it acquired? Has it been over 7 years ago? Is it time to remove it from your records?
  • Who has access to it?
Organised documents

Answering these questions should provide you with the necessary solutions you need in order to keep compliant with the GDPR. When asking yourself these questions it is important to consider all forms of data; confidential paper, hard-drives and media devices, or branded products such as business cards or uniforms etc. Once all this is organised it is time to contact your trusted shredding company who can provide you with options for the certified destruction of your data.

The sooner you begin; the sooner you are ready for the new year.

Cyber Security – What can you do?

As important as ensuring your physical data is kept secure through a paper shredding service, digital data security needs to be managed. Everything in today’s world is online from business to leisure. Most of our days are spent connected to some network or another, in front of one screen or another. Data is our most valuable resource. For a business data is customer information which needs to be protected. Why would anyone choose to frequent a business or establishment that has zero ability to keep their information safe and secure? There are a number of things that can be done in order to ensure that this is achieved. Some may seem obvious and simple but may be the difference between success and failure.

1.      Firewall & Virus Protection

Always have a strong firewall and virus protection on your computers and devices that connect to the internet. A hacker is a person who uses computing devices to gain unauthorised access to data. If a hacker breaks through any defences you have, they not only will have access to what you do or say online but also to every file on your PC and every keystroke you make.

2.      Strong Passwords

Passwords should not be obvious and the best passwords are random letters and symbols. They shouldn’t be written down anywhere. It is also recommended to use a different password for every account or device you use. However, remembering all these random letters and symbols can be impossible for most people, password managers are useful in this situation. They pose their own risks too however.

3.      Avoid Public Wi-Fi

If at all possible do not use public Wi-Fi. It is not secure enough. When out and about its best to have Wi-Fi switched off on your phone, some phones scan for Wi-Fi networks even when it seems to be switched off so make sure your settings are all correct. However, bringing your laptop to Starbucks and conducting business can be comfortable and convenient on the go. If you really must use public Wi-Fi try to find a good VPN. A VPN will allow you to send and receive data across shared or public networks as if you are directly connected to your private network.

4.      Share less on Social Media

Sharing personal information on social media is a sometimes overlooked method of staying secure. While you may not post things such as your home address or personal email address, depending on your settings you may be revealing all of this information without even realising. Check your settings on whatever platform you use and make sure all your privacy settings are up to the standard you require.

5.      Hard-Drive and Media Destruction

Even when you have deleted a file or an app on your phone or PC that information still exists. Hard drives are recoverable even when they have been completely wiped. When you are destroying data devices formatting them just won’t cut it. Old and unused data devices should be destroyed through a hard-drive shredding service. Security in Shredding provide a nationwide Hard-Drive shredding service. This will cover the destruction of most media devices; phones, hard-drives, USB sticks, CD’s, floppy discs etc. Just throwing these out as they are will make you vulnerable.

Why I need to Shred – Shredding Company or In-House?

Why do I need to Shred Data?

On the 25th May 2018 a new law came into play, The General Data Protection Regulation (GDPR) affecting businesses of all shapes and sizes.

All business, Irish Business or International generate and process data through their operations. This data has to be created, managed and destroyed (i.e. Through a Paper Shredding Service, In-house Shredding and/or Hard-Drive Shredding Service).

The GDPR splits data mainly into two categories;

Personal Data (i.e. information which can directly connect to or identify a living person such as; name, phone number, medical history etc.)

Special Category Personal Data (i.e. personal data in relation to; ethnicity, political/philosophical opinions/beliefs, religion, mental health, criminal records etc.)

Each of the above categories have specific requirements when processing such information. This means it is important to know what category you are processing.

Enforcement Authority

Each EU state has an independent public authority accountable for enforcing the implementation of this regulation. This is the Data Protection Commission in Ireland.

The GDPR harmonized the rules to how data is to be managed in order to protect individuals. The management includes, the gathering/creation of the data through to the final destruction/disposal of the data through a paper shredding service or IT Asset Disposal Service.

Paper Shredding, Data Management, GDPR, Onsite Shredding Service, Shredding Service

There are serious implications that can occur if a business does not follow the GDPR requirements. It may be a warning or  a large penalty of at least 4% of your annual global turnover or €20 million – whichever is higher. Compliance is essential.

Shredding Service Industry Associations

There are many associations across the world for Shredding Companies to become a member. This provides peace of mind for individuals as the Association can apply guidelines for their members to be compliant with International Legislation.

Length of Time Storing Data Prior to Secure Shredding / Data Erasure

Information must be kept for as little time as possible. It is important to take into account why your company needs to store this data; is there a legal obligation? A system should be put in place with time limits/reviews and updates to out of date information/data.

To summarise, you need to shred/destroy out of date records/files/documents because it is the law. In order to be fully compliant it is invaluable to use a quality certified destruction service that will not only ensure all data is eradicated but will also provide compliance certification for your records. This will be invaluable when proving that your company/business is fulfilling their obligation to the GDPR.

The law is reason enough to shred on its own but how do businesses know what service best suits them? In our upcoming blog posts I will be discussing different types of shredding, what makes the shredding company you choose legally compliant and if onsite or offsite shredding would work best for you?

For Further info – please contact the team at Security in Shredding info@securityinshredding.com

Irish Companies must do more to protect themselves

In 2015 The Irish Computer society carried out a nationwide survey in order to ascertain data protection professional’s opinion in the area of data protection.

Data Protection

Results

The results show that of the 150 companies who took part in the survey, 15% had no data retention /destruction policy in place. This places these Organisations at sever risk of non-compliance with the GDPR due to come into force in May 2018. Another significant result from the survey showed that companies firmly laid the blame for 45% of all data breaches on employee negligence. Employee negligence can result in significant fines for Organisations that fail to have adequate procedures in place to manage Data Protection, secure paper Destruction/IT disposal, once the said information has reached its retention period.

Data Retention

In line with the Data Protection Acts, all data controllers are required to retain information for no longer than is necessary for the purpose. With that in mind, an accurate retention policy for all documentation ensures that a company can keep track of their different legal requirements. When there is no policy in place companies run the risk of losing data, storing both paper and digital files longer than is necessary, experience breaches in information security while also breaking the regulations under the Data Protection Act.

Data Destruction

The Data Protection Act places the responsibility on companies for the safe disposal/destruction of information in their possession. Responsibility for secure destruction, falls under the remit of the data controller and it their responsibility to ensure that their disposal practices are compliant. If a company intends to hold information regarding customers in order to enhance services to them in the future, customer consent must be sought!

Employee negligence

Employees with a grudge are responsible for some breaches, however many are due to employee negligence, maybe by ignoring a warning, not following proper procedures or just by human error. Employee breaches can fall into 3 categories:

  1. Innocent actions: wrongly addressed letters, misplacing mobile phones

  2. Careless or negligent: ignoring warnings that flash up on computer screen, releasing information in either the form of paper or IT equipment to a non-compliant individual/organisation to process.

  3. Malicious: the deliberate distribution of sensitive information to a third party

Innocent Data Breach Example

In 2016, American giant, Federal Deposit Insurance Corp experienced an innocent data breach through a past employee. The employee in question, “inadvertently and without malicious intent” downloaded a series of confidential documents relating to client and commercial information and saved them to a portable storage device. It is scenarios such as this that significantly justifies the importance for businesses (large & small) to have detailed Data Protection procedures in place. These procedures are created to establish regulatory compliant methods for processing, storing and the secure disposal of the data within their control. Providing peace of mind to management that their systems and practices are fully compliant.

Careless/negligent

Carelessness is one risk that is difficult to control from managements perspective. The best method for management to protect their business is to focus on what they can control. In this case, educating employees and establishing effective monitoring procedures are two factors that management can control.

An example of effective education and monitoring would be to implement secure console units (secure bins) throughout your office space and introduce a procedure for all employees, informing them to insert all waste paper data in the provided consoles.

confidential shredding, secure bin

At the end of each week, conduct a spot check on all the remaining general waste bins inspecting for waste paper data. Continue this process for a number of weeks, highlighting non-compliance to all staff members, implement disciplinary procedures and monitor for improvement to attain 100% compliance.

Malicious

Similar to human error, malicious behaviour is extremely difficult and near impossible to control. The best method of equipping your Organisation for this kind of behaviour is to review all employment/HR guidelines and clearly outline your Organisation’s stance on malicious behaviour. This can result in criminal conviction of the said employee if proof of the malicious behaviour has been recorded.

Conclusion

With the introduction of the GDPR from Europe, Data Protection has become one of the most relevant and important compliance areas for Organisations to review and correct if deemed necessary. Lack of preparation may result in business ending penalties from Europe and simply cannot and should not be risked. It may seem daunting to undertake such a review however the resulting protection will far outweigh the workload of completing the review.

Fail to prepare, prepare to fail!

If you would like to receive any further information upon the GDPR and how to become compliant, please contact the team at Security in Shredding.

Data Protection Commissioner opens new Dublin Office

With the introduction of the New General Data Protection Regulation (GDPR) due to come into effect in May of 2018, the news of the Data Protection Commissioner’s Office (DPCO) expansion is a great development for Ireland and Irish Companies.

The expansion has been made possible through additional funding secured in the 2017 budget. With significant fines and penalty increases for non-compliance with The GDPR, making sure your Organisation is in compliance is essential.

Guidance to achieve compliance

To date, The DPCO has released guidance documents to help all individuals and Organisations to become aware of the legislative requirements. From record management, data access requests through to certified paper shredding, all Organisations will be required to review their practices.

With the significant number of Global Technology Organisations with operations in Ireland, coupled with Indigenous Irish Companies, the role and workload of the DPCO has grown to a Worldwide level.

The GDPR is a game changer in Ireland and across Europe. “It is a law that is going to lead the standard for data protection globally” said Dixon at the opening of The DPCO in Fitzwilliam Square, Dublin. She added, “It will include key new rights to better control for users of their personal data, and imposes corresponding obligations on organisations that collect data,”. This includes both digital data processed and stored upon data carriers in addition to the physical data printed and stored in paper format. End of life data, both in paper and digital format will be advised to be disposed of appropriately through a confidential shredding company.

Data Protection Officer appointment

paper shredding Dublin, Hard-Drive Destruction

One of the many new requirements under the GDPR is to appoint a Data Protection Officer. This requirement is for specific Organisations whose core business activities will consist of;

  • Data Processing activities
  • Large scale processing of the categories of data relating to criminal convictions
  • Public Bodies & Authorities (excluding courts relating to their judicial capacity)

The Data Protection Officer is required to have a full knowledge of the risks associated with their Organisations processing activities. The GDPR has clearly identified the Data Protections Officer’s role as an independent one. They cannot be instructed upon the relevance of the DPO responsibilities or a matter relating to Data Protection.

Data Protection Officer Independence & Knowledge

Staff training upon Data Protection will be the responsibility of the Data Protection Officer in addition to providing expert advice upon data protection impact assessments. The newly appointed Data Protection Officer can also take on additional tasks if required to do so, depending wholly that there is no conflict of interest with GDPR compliance while completing the tasks.

For further information upon the GDPR and/or any Data Protection guidance please contact the team here at Security in Shredding.

Do Irish Companies need a Data Protection Officer? – Companies Ireland

onsite paper shredding, paper shredding ireland, shredding company ireland, data protection officer

Image source: gdpr-info

Companies in Ireland – the General Data Protection Regulation (GDPR).

Within the EU GDPR there is a mandate for certain companies including specific Companies operating in Ireland that a Data Protection Officer is appointed within their business.

This Data Protection Officer will be the “go to” person within Irish companies and will manage the responsibility for Data Protection Compliance.

Responsibilities for the Data Protection Officer include but are not limited to;

  • Monitoring the company’s compliance with The Data Protection Law, managing training of staff for data protection and carrying out audits within the Organisation.
  • Providing advice to the Organisation relating to their obligations under the GDPR
  • Acting as the main contact point within the Organisation for the local Data Protection Authority (The Data Protection Commissioner)

Not all Irish companies will require to have an appointed DPO.

The circumstances listed below will require companies in Ireland will have a DPO;

  • Public Authorities processing public data (except for courts in their judicial capacity)
  • The Company in Ireland has a core activity which involve data processing operations and “require regular monitoring of data subjects on a large scale
  • The core activities of the organisation involve the processing of sensitive personal data on a large scale.

The specific size of the above listed processing activity is not detailed within the GDPR. There is not identifiable cut off point but it would be advised that Irish Companies to act on the side of caution rather than face the extreme financial sanctions for breaking the Law.

Paper shredding Dublin, paper shredding Cork, Paper shredding Galway, Paper shredding Limerick, offsite paper shredding service Ireland, off site paper shredding service Ireland, Off site shredding service Ireland, mobile paper shredding Ireland

Under Article 58 of the GDPR, in Ireland, the Office of The Data Protection Commissioner will be able to fine Irish companies who are found guilty of a data breach. Article 58 does not differentiate between an accidental breach and a deliberate breach. Fines for a data breach have been increased to a maximum of 20 million Euro or 4% of their global turnover, whichever is the larger.

If there was ever an appropriate time for Irish Companies to review all of their data processing activities, identify to whom they are releasing data to both digital data and paper data, it is now before the fines are in place and enforced.

Within the GDPR, a single DPO can represent multiple organisations and does not have to be a member of staff belonging to the specific Company. Therefore, several organisations can collectively appoint one DPO to represent their combined interests.

Currently it is clear to see through research conducted that the expected compliance is not matched by the level of knowledge and awareness within the market. An underestimated figure of 28,000 Data Protection Officers will need to be appointed throughout Europe before the GDPR becomes law.

For more information upon compliance with the GDPR please contact the Security in Shredding team for assistance.

Save

Five tips for Data Protection Compliance

Mobile paper shredding, onsite paper shredding service, onsite paper shredding, paper shredding service, confidential paper shredding service, offsite paper shredding service, onsite paper destruction service, document shredding services

Image source; lbenitez

With the introduction of The General Data Protection Regulation this year it is essential for Organisations to know that they are complying with the legislation. The first step in compliance is awareness and this article will give a brief overview of some tips to take into account to protect your Organisation. From data consent to third party data processing such as a confidential paper shredding service, I aim to guide you in the right direction.

A. Consent

Always obtain the data subjects consent prior to holding or using their personal data. All forms both physical and web-based which are designed to gather personal information should contain a statement detailing what the information is to be used for.

B. Sensitive data

When dealing with sensitive personal (race, political opinion, mental health etc.) data additional measures should be in place to ensure the security of the data. When this data has reached its end of life always securely destroy the data through a paper shredding service.

Paper shredding Dublin, paper shredding Cork, Paper shredding Galway, Paper shredding Limerick, offsite paper shredding service Ireland, off site paper shredding service Ireland, Off site shredding service Ireland, mobile paper shredding Ireland

C. Individual rights

Be aware of individual’s rights when dealing with information held upon them. If preparing reports always be aware that individuals have the right to see all personal data held about them which also includes emails and informal notes that have not gone through your document shredding service in place.

D. Review files

Data should only be retained when and where absolutely necessary. Securely disposal of the data once it is no longer required through an onsite paper shredding service and/or an offsite shredding service with a data processing firm and under contract. Establish and record regular reviews of the data in your control.

E. Secure disposal of records

When discarding waste data in paper format it is imperative to treat them confidentially. Never discard end of life data with conventional recycling streams. Waste paper data is not the same as general sorted office waste (SOW) before it is destroyed due to the fines and penalties attached to them for a breach. Always hire a professional paper shredding company to secure shred all documents and receive a certificate of data processing. The same applies to waste electronic data carriers such as hard-drives, always securely destroy them through a hard drive shredding service.

For any advice upon data protection and making your Organisation compliant please do not hesitate to contact one of our team through our website www.securityinshredding.com.

You can also follow us on
Twitter, YouTube, LinkedIn, Google+

Save