“Chain of Custody” is a phrase that sounds more appropriate for a crime drama than an office environment. However, with the introduction of the EU’s General Data Protection Regulations (GDPR) in May last year it has become an essential part of operations where data security is concerned. Data destruction, whether physical or digital, is a key part of the process of ensuring Chain of Custody is secure. Every business today is obliged to take steps today to safeguard the chain to ensure that compliance obligations are met.
The GDPR’s Chain of Custody
Chain of Custody is essentially a paper trail for any document that may contain sensitive information. The definition of sensitive information is incredibly wide and so Chain of Custody applies to a broad range of documents, not just those that are confidential. It also applies to both physical and digital data, as well as data that has been shared with third parties. As a result of the requirements of the GDPR, any business could be required – at any time – to provide evidence of a paper trail for data to the Information Commissioner’s Office (ICO), from consent on collection to destruction of documents. The purpose of this requirement is to show how data has been handled i.e. how it is collected, controlled, analysed, stored, shared and disposed of.
Why is the Chain of Custody so important for business?
- The GDPR introduced a new system of fines and penalties that could be applied where proper Chain of Custody can’t be shown
- Reputational damage from a breach of the GDPR could result in client attrition and loss of business. Clients today expect businesses to have extensive data protection measures in place and are wary of businesses that suffer security breaches
- The consequences of sensitive data ending up in the wrong hands could be serious for any enterprise
- ‘Bin raiding’ is a form of theft that is on the rise, involving criminals looking through bins for sensitive data and material that can be used to exploit businesses and individuals. Proper Chain of Custody prevents exposure in this way
The end point of Chain of Custody
Disposal of data is one of the most important stages in Chain of Custody. If this is not properly handled it can undermine all other efforts to ensure compliance with the GDPR, as well as leaving the business vulnerable to practices such as bin raiding. Everything, from avoiding the fines that may be applicable under the GDPR, to reducing the potential for reputational damage from a security breach, can be prevented with the right data disposal procedures in place. For physical data, the best option is to outsource data destruction to a specialist service with the resources to dispose of your data on site. This not only reduces the security risk but helps to ensure GDPR Chain of Custody compliance too.
Adapting to the requirements of GDPR Chain of Custody has been essential for every organisation. If you require specialist support in terms of document disposal we can help – contact us to find out more.