Now that you know that old documents have to be destroyed, let’s take a look together at how to do it.
Document Shredders
Using shredders is a common way of shredding paper documents, and it is usually quick, easy, and economical. The catch is that not every shredder is fit for your business. We do not mean the size of the cuttings basket but the accuracy of the documents being shredded.
As you can guess, the GDPR itself does not impose any requirements on shredders (after all, it is technologically neutral). The situation is different with the “GDPR-fillers” – we mean international norms and standards that are invaluable tips on how to “do” data protection on a daily basis. What comes to our aid in the subject we are interested in today is the technical standard DIN 66399, which says that a shredder that cuts documents containing personal data should represent at least level P-3 (shredding width ≤ 2 mm, shedding area ≤ 320 mm²).
One of the county offices recently discovered its indisputable importance, where documents for disposal were cut into 5-millimeter strips in a shredder. However, this method of document shredding did not guarantee the security of personal data. As for documents with a horizontal orientation, it was possible to reproduce the entire data sequence, whereas, in the case of materials with a vertical orientation, it was possible to put them back together. And because the bags with cuttings were abandoned, there was a breach of personal data protection, which the county office – fulfilling its obligation – reported to the President of the Personal Data Protection Office.
Specialised Companies
What is an equally good solution is to order the shredding of documents to an entity specialising in it. If this solution is chosen, the technical side of the process rests with its responsibility. So, what should you do? Whisper a word to the manager of your department that he/she makes sure the contract he/she concluded for document shredding specifies the level of fragmentation of the medium (DIN 66399, P-3), the rules for processing personal data (entrustment agreement and security survey), and the entire process is documented for you (protocol, recording).
It goes without saying if you have any further questions, do not hesitate to contact us.