Almost a year on from the introduction of GDPR, the number of home and office shredders sales has risen on a global scale. Yet, even those who are actively participating in new security procedures are still at risk, according to Mark Harper of HSM. With the growing need to protect the security of confidential documents, companies are victim to purchasing shredding solutions that might not actually fit their security needs.
The issue seems to reside with education. In particular, education around the official security standards developed for the destruction of confidential data. Shredding solutions will cut to certain particle sizes, tailoring document security for all types of organisations. However, with seven official levels of security, it’s important for data handlers to understand the needs of the different documents handled in their organisation. This is the only sure way to maintain the security of confidential data.
Since 2012, the processes for shredding data carriers have been regulated by the EU’s DIN standard 66399. These security standards are designed to provide transparency and clarity for data handlers in their efforts to securely dispose of sensitive and confidential data.
Following GDPR, the standards were internationalised in August 2018 and are now governed by the International Organization for Standardization (ISO) - world renowned for developing and publishing international standards.
Home and office shredders are designed to cut the paper into particles that coincide with international security standards. With this in mind, shredding sensitive data at an incorrect or unknown level can nearly be just as detrimental as not shredding at all. Data handlers need to understand two key factors of document security, which security level each area of their organisation needs to be shredding at and what security level their shredders are cutting at.
The seven security levels, outlined by the ISO, are as follows;
P-1 & P-2
Security levels known as P-1 & P-2 are the lowest security levels available, with documents being ‘destroyed’ using strip-cut devices. Strip-cut paper waste is typically large, with many single sheets being cut down to around 20-50 strips only - depending on the width of the cut. This level of shredding is not commonly used outside of the home and does not cover the security that many data handlers need.
The P-3 security level is a lower security cross-cut shred and is mostly used in smaller personal shredders.
P-4 & P-5
Also, cross-cut solutions, both the P-4 & P-5 levels are most suited for use within conventional commercial environments. The use of cross-cut mechanisms enable data handlers to destroy paper documents at a level where reconstruction is near impossible.
Suited to general office shredding, at a P-4 level, shredders are typically capable of producing over 400 pieces per A4 page – a far cry from what is produced at P-1 and P-2.
P-6 & P-7
The highest of all security levels, P-6, and P-7 both destroy documents to a state where reconstruction is impossible via any current method.
Used at government levels and spanning to military forces, police HQs, and security services, these levels of security are used for ‘Top Secret’ documentation. Although P-6 and P-7 levels are seen as the most secure and effective way of destroying confidential documents, they are not commonly needed for anything below the very highest-level confidential documents.
The international security standards have been put in place for good reason. You only have to look into some of the fines issued by the Information Commissioner’s Office to see what happens when they’re not followed correctly.
No longer can we be under the illusion that owning a shredding solution is enough. When it comes to data protection, it’s just as important to understand and implement appropriate security levels as it is using a shredding solution. You must educate your organisation to protect your data.