The Danish data protection authority (‘Datatilsynet’) announced, on 20th August 2020, that it had itself suffered a personal data breach. The breach was the discovery of its paper waste containing confidential and sensitive information about citizens and employees. Shredding is the required method of disposal; the disposal was the same as ordinary paper waste.
The Datatilsynet said that the breach report was made using the the correct method. This method requires the organisation to file the breach notification within 72 hours of becoming aware of the breach. However, the notification took place almost 24 hours later than this. The employee received a reprimand.
It is very clear that many businesses don’t consider paper records to be data. This comes from the common myth that GDPR is an IT problem and only refers to electronic data. However, Doorstep Dispensaree Limited being fined earlier this year for failure to secure paper records tells us that this is not the case.
Consequently, businesses must adopt a policy for the destruction of their data and a process for managing the destruction. Tie this process into a CRM or diary management system. Accountability is the seventh principle of the Data Protection Act 2018. Do you have checks in place to ensure data is destroyed correctly and in line with your company policy?
If you need help with your data retention and deletion polices, or perhaps you need help designing a set of procedures, please call us today on 03333 22 1011 or contact us here.