Data protection regulations are clear and have been for some time now. So why are organisations still tripping up? Mark Harper of HSM investigates how a lack of company culture may be affecting their approach to data protection.

Back in May 2018, GDPR came as a culture shock to many. But in reality, it never should have been like that. Despite organisations claiming that sensitive and confidential customer information was being used in the right way, it wasn’t. The benchmark was raised. Many businesses had become too complacent and the blurred lines of what was the right and wrong way of processing sensitive data had suddenly been made a lot clearer.

For some, their methods and ideologies didn’t change much, meaning internal culture towards data protection remained the same. But as new data protection cases continue to make the headlines, it’s clear that outdated methods and cultures simply won’t cut it anymore.

With data security experts continually reminding businesses to move away from a ‘tick box’ mentality, how should organisations force that change? Well, aside from data protection officers, the responsibility falls under directors and upper management. Company culture needs to be driven from the top and developed throughout.

Education plays a huge role in the success of this. Although we can’t expect each individual to understand the ins and outs of data protection, courses and expert guidance is now (and has been for some time) readily available. For example, the key to sensitive data destruction is appropriate levels of security.

Under GDPR, strip-cut shredding levels P-1 and P-2 simply can’t be considered to provide adequate protection for personal data. And while tailored advice on how to remain compliant is available, most organisations should consider a minimum standard of P-4 crosscut or P-5 micro-cut levels of security. By sharing that guidance, both individuals and larger departments can understand the responsibilities of the business, accountability and how to approach their role throughout the process of data destruction.

In addition, business leaders must set aside a budget for robust data destruction methods. Without it, cheaper alternatives are sought, which can bring with them unsightly and highly expensive results. As most security experts agree, for confidential paper documents, the most secure method of destroying data is using an internal shredder at the correct security level. For larger departments, this may mean multiple shredders are needed to ensure each individual can complete their role effectively.

And while the approach to methods may differ depending on factors such as facility size or information processes, there are best practices that can be ingrained into almost any company culture. For example, many security experts promote a ‘shred little and often’ approach to ensure paper documents don’t build up and are subsequently at risk of loss or theft. 

By implementing these small, but positive changes to sensitive data destruction procedures, - that is enthusiastically backed by senior management - an organisation can feel comfortable in knowing that they have done everything they can to apply a positive data protection culture.

As we approach a new era of GDPR, organisations need to truly reflect on whether they themselves must enter a new era of internal data protection culture.

All departments, from top to bottom, should be proactive in deciding whether their sensitive document destruction procedure is appropriate to their real requirements. Only when businesses have a holistic approach to data protection culture can they be sure that they’re tackling document security correctly.