Since the introduction of GDPR back in May, you may have heard the term “Chain of Custody” being used in the workplace, as well as on the news.
But what does it really mean?
Essentially, a Chain of Custody is the paper trail proving all stages of a document’s lifespan. Organisations should keep a paper trail for every document that contains sensitive information. While it can be an onerous process, it does help organisations prove their GDPR compliance.
The Information Commissioner’s Office (ICO) can call upon organisations at any time to provide evidence of their Chain of Custody, including details about data collection, control, who the data has been shared with, how the data has been analysed, and how it has been destroyed. From this information, you’ll be able to know – and prove – where your data is stored, how to get these records quickly, and who has accessed them.
The Chain of Custody is also applicable to both physical and electronic data, including personal information about consumers such as email addresses, postcodes, etc. You should also keep a record of the consent given at the time of data collection, and a declaration of how that data will be used.
Many organisations share data with other parties.
An example could be an artist opening their first-ever pop-up gallery. To attempt to gather data to build their customer database, they may launch a competition on paper slips to win a piece of their work. The artist should, in this situation, process the data on these slips in line with GDPR, then safely destroy the paper forms. For maximum security, the artist could use an external provider such as Shred Station.
Whether the sharing of data is done by choice or as a necessity, all external suppliers involved with a chain of data must have proven accreditations to do so. This is called shared responsibility.
When choosing a supplier to destroy your data, you should seek proof that they are properly accredited.
Here are four main accreditations you should look for:
- ISO 9001 Quality Management incorporating EN15713.
- ISO 14001.
- BSIA – British Security Industry Association approved member.
- PCI DSS Level 1 Service Provider Compliance.
These accreditations are proof that your external suppliers are certifiably responsible to handle your data.
Why is destruction such an important element in the Chain of Custody?
Destruction of data is fundamental for organisations. Without responsible and timely destruction, an organisation puts itself and the data of its clients at risk. Not only is there the financial risk of incurring a GDPR penalty notice, there is also a huge risk of that sensitive information falling into the wrong hands.
Clients expect organisations to proactively protect their confidential information, and businesses can lose loyal customers by not doing so. Identity theft and security breaches regularly make headlines, which can be hugely damaging to the reputation of an organisation.
A growing trend amongst fraudsters is the act of ‘bin raiding’. This is exactly what it says on the tin. Data thieves will go through bins and steal documents, electronic devices, memory sticks and more. Fraudsters can retrieve information from hard drives even after wiping the data. This poses a catastrophic risk to any sensitive data that was once stored on these devices. Businesses must be sure to store data safely and destroy it safely too.
If you think your organisation could benefit from the added security of outsourcing your data destruction, we can help. Shred Station has a long list of accreditations. We offer two main shredding services, onsite and offsite. With our onsite service, we destroy data straight away. This means a smaller Chain of Custody than our offsite destruction, but both methods are fully secure. We will provide a certificate of destruction for your Chain of Custody records. This goes for everything from paper to electronics.
Sign up to our newsletter here to be alerted about brand new articles, data protection advice, and news about Shred Station.