Almost a third of businesses are failing to destroy sensitive data adequately despite the imminent introduction of strict data security legislation, new research suggests.
A survey of small and medium enterprises (SMEs) found that just 60.6 per cent shred either all documents or all documents containing personal or sensitive information. Around 8.2 per cent say they do not use printed documents.
The findings come before the implementation of the General Data Protection Regulation (GDPR) in May, which replaces the Data Protection Act 1998.
In order to adhere to the new legislation, which stipulates that personal data ‘shall not be kept for longer than is necessary’, businesses will be responsible for destroying such information ‘securely’.
The research into SME data protection practices, carried out by secure shredding specialist Russell Richardson, asked 500 SME owners: ‘Do you shred printed documents/data in the workplace?’
The results revealed that 44.2 per cent only shred what they see as personal or sensitive data, while 3.8 per cent destroyed documents containing personal data specifically about employees.
Only 16.4 per cent reported shredding all documents in their possession.
Jonathan Richardson, managing director at Russell Richardson, says, ‘We are all aware of online confidentiality; however, in many offices the same diligence isn’t applied to hard copies of documents.
‘Paper-based data poses just as much of a security risk as digital data, but it can be permanently destroyed by means of shredding.’
The failure by 75.4 per cent of respondents to shred all their documents is particularly worrying in light of research showing that more than two-thirds of SMEs are not confident about the meaning of ‘personal data’.
The Close Brothers Business Barometer surveyed more than 900 SME owners and senior management from across the UK and Ireland. It found that only 31 per cent said they were ‘clear’ what personal data means in a business context, with 19 per cent reporting they were not at all clear and 50 per cent answering ‘sort of’.
Currently, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for failure to comply with data laws; however, the new rules allow the GDPR to fine a company up to €20 million (£17.5m) or 4 per cent of its annual turnover, depending on which is higher.
Even the 7.4 per cent that conceded they choose to recycle documents rather than shred them should take note, as there is no guarantee this process will prevent documents from falling into the wrong hands.
Meanwhile, companies that do shred their documents can feel safe in the knowledge that they are being environmentally friendly, as shredded paper can be recycled without jeopardising company and employee confidentiality.
Jonathan concludes, ‘In light of the imminent GDPR it is imperative that companies take the safe disposal of documents seriously, otherwise the consequences could be extremely detrimental to their business.’