Paper Security Policy Advice

This advice is aimed at any organisation who are currently drafting improved security policies for paper based data and are looking to maximise employee compliance.

Why is paper security important to GDPR and IT security?

While electronic data security is rightly a priority for the majority of organisations, many fail to adequately address the security of paper-based data. Paper documents invariably carry personal, sensitive and confidential data, all of which fall under the GDPR.  Paper documents, much like laptops and mobile devices, are a weak link and are the cause of numerous security breaches or ICO investigations.

In fact, two thirds of offices admit to not shredding confidential information.1 This puts organisations at risk for non-compliance with GDPR, as well as putting data subjects at risk of fraud and identity theft.

With this in mind, Rexel, a leading shredding machine brand, encourages organisations to review their security policies and practices relating to both paper-based and electronic data.

While digital threats are high on an organisation’s agenda, it would be a mistake to assume that paper-based security risks are irrelevant.

5 tips for organisations drafting their paper security policies to comply with the General Data Protection Regulation

First activate the first 3 steps of our 6 point GDPR plan. 1. Appoint a data protection office 2. Assess your systems 3. Develop a strategy Now you’re ready for steps 4 and 5; Implement a new organisation policy and tackle employee engagement.




GDPR Compliant Paper Security Policy

GDPR Compliant Paper Security Policy

This is our 6 point GDPR plan to creating a compliant paper security policy:

  1. Appoint a data protection office
  2. Assess your systems
  3. Develop a strategy
  4. Implement a new organisation policy
  5. Tackle employee engagement
  6. Review & Improve

1. Educate

Your employees are most likely able to print any document they find on your IT system or generate themselves.  Constraining printing is often impractical and will damage productivity.  Instead, educate your employees which types of data constitutes a risk, how it should be stored and when it should be destroyed.

Our awareness posters prompt thought and educate your workforce as to which type of documents should be destroyed while they wait for their printing.  Alternatively, they can be shared with staff as part of an educational program or be used to inform your own training programme with examples of different data types which pose a risk.

2. Make it Easy

To maximise employee compliance make sure your policy doesn’t disrupt existing workflows. Make shredding as easy as pressing play. Position shredders in convenient locations and ensure there are sufficient bins and run time to cope with demand without impacting productivity.  Next to printers and photocopiers or in personal offices are perfect locations to place a paper shredder. HR, Legal and Finance departments may require dedicated higher security machines too.

Ensure that lever arch files and ring binders are available for staff to create archives or access printed document regularly.

3. Don't forget hand written documents

Post-its, desk pads and to-do notes can often contain sensitive or confidential data and in some cases passwords.  Encouraging a clear desk policy or the use of personal memo boards, in place of traditional post-it notes and/or desk pads can significantly reduce the risk of paper notes not being destroyed appropriately.

 

4. Security starts at home

If shredding is not yet part of your organisation’s paper management culture, encouraging staff to shred personal documents at work is a great way to embed a positive behavioural change.

 

 

5. Empty laptop bags

Stolen and lost laptops are regularly reported but consider how many potentially dangerous documents are carried in laptop bags across your workforce.  Encourage staff to manage the contents of their workbags on a regular basis.  All good salesman will already keep a tidy bag for customer interactions but is this true for your whole workforce?

 

1Beyond good intentions: The need to move from intention to action to manage information risk  in the mid-market, PwC report in conjunction with Iron Mountain, June 2014.

*Shredders that offer Auto Feed shredding allow stacks of paper to be shred in one go, rather than being fed manually.  An employee would need only 14seconds as opposed to over 14 minutes to shred 500 sheets with a traditional manual shredder.

Max saving when using an Auto+ 500X compared to a traditional feed shredder in a similar price level. Independents test from Intertek Testing & Certification Ltd June 2012.