One of our top frequently asked questions is: Do Your Shredders Cut To A Size That Is GDPR Compliant? The answer is of course YES, but the new General Data Protection Regulation (GDPR) that came into effect on 25th May 2018 does not actually specify the shred size required in order to be compliant. Data laws only require data controllers to take all technical and practicable measures to ensure their data is not compromised.
Whilst the law does not specify a shred size for GDPR compliance, regulatory bodies may set standards for their members regarding the secure destruction of sensitive materials. Those standards are likely to define the required shred size outcome. There are two principle scales which regulatory bodies refer to when determining or assessing the shred size. These are shredding standards EN15713 and DIN 66399. A standard shred size of max 2000 mm sq. EN15713 security level 4 (DIN P-1) is suitable for most commercially sensitive paper work and EN15713 level 6 (DIN P-4) for documents with top secret classification.
Strip cut shredding or “standard shredding” is the most commonly used shredding technique and strip cuts paper to approx. 2000mm sq. which would equate to about 50 million shredded fragments per truck load. For more sensitive items secure destruction of documents using “cross-cut shredding” would be more suitable. Cross-cut shredding or high security shredding shreds paper to 6-10mm sq. which would equate to about 750 million shredded fragments per truck load.
With no legally defined shred size and in the absence of any regulatory requirements governing shred size, individual organisations are responsible for specifying the appropriate shred size to ensure compliance with GDPR. The required shred size outcome will be within the scale EN15713 level 1 – 7 and the level selected should be sufficient to reduce the risk of a data breach.
Data controllers should be aware that the smaller the shred the more secure the destruction (for more details on why shred size matter – click here). Topwood have seen an increase in requests for high security shredding and on-site shredding. Cross cut shredding is the safest option as it reduces the risk of a data breach. The critical point for data controllers when considering data security is that shred size is not the only factor in determining a safe destruction process. It is important to note that shred size is just one factor in the mix that ensures a secure chain of custody.
Data controllers are required to consider all the factors that make for a more secure destruction process – such considerations are:
- Use a professional shredding firm (accredited to IS0 27001)
- Shred on-site and witness the destruction before is leaves your workplace
- Ensure the staff that are handling your sensitive information are security vetted to BS7858
- Is the material securely contained prior to final destruction
- Where is the final point of disposal
If you would like to find out more about our GDPR compliant shredding services, please don’t hesitate to get in contact via our online chat, email or call us on 01948 770 152.