Destruction of printed confidential data
Hi, I'm trying to validate internal guidance I have been provided that says that in order to comply with ISO27001 we cannot use our own shredders to dispose of our own media but MUST use an outside company to do this? We currently have our own locked shredders and have appointed personnel to dispose of the shredded media via re-cycling.
Assign topic to the user
ISO 27001 and GDPR give no unique solution on how to dispose of your printed documents. ISO 27001 requires classifying documentation and you can implement different procedures depending on the information incorporated in the printed document. Is there any confidential information? Are you dealing with a particular kind of personal data under Article 9 GDPR? Do the printed documents contain no personal information or anonymized information? The solution can be different.
Any disposal should comply with your data retention policy and data protection policy in order to avoid accidental destruction of documentation which is considered a data breach because of its impact on the integrity of data.If you decide to appoint an outside company, you need to check their compliance with GDPR requirements and other quality standards such as ISO 27001 and the recycling process. Under GDPR you should make a data processing agreement with your supplier because the outside company will process (through destruction) data on your behalf.
Here you can find some useful information on printed documentation under ISO 27001
- Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/
- Secure equipment and media disposal according to ISO 27001: https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
- 5 practical tips for media disposal according to ISO 27001: https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/
Our template of Supplier Data Processing Agreement may be of help:https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/
You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
If you need more information, you can also consider enrolling in this free online training ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 08, 2020