Chain of Custody – What Does it Mean and Why is it Crucial for Businesses?

Since the introduction of the EU’s General Data Protection Regulations (GDPR) back in May, you may have heard the term “Chain of Custody” being used in the workplace, as well as on the news.

But what does it really mean?

Chain of custody image

Essentially, a Chain of Custody is the paper trail which proves all stages of a document’s lifespan. This paper trail must be kept for every single document containing sensitive information. While it can be an onerous process, it is used to help organisations prove their compliance of GDPR.

The Information Commissioner’s Office (ICO) can call upon organisations at any time to provide evidence of their Chain of Custody, including details of how the data has been collected, controlled, who the data has been shared with or transferred to, how the data has been analysed, and how it has been disposed of. From this information, you’ll be able to know – and prove – where your data is stored, how to get these records quickly, and who has accessed them.

The Chain of Custody is also applicable to both physical and electronic data, including personal information about consumers such as email addresses, postcodes, etc. A record of the consent given at the time of data collection, and a declaration of how that data will be used must also be kept.

For many organisations, data is shared with other parties.

An example could be an independent artist opening their first ever pop-up gallery, and to attempt to gather enough data to build their customer database, they may launch a competition on paper slips to win a piece of their work. The data on these paper slips will have to be processed and then destroyed. For maximum security, the artist may choose to do this with an external provider such as Shred Station.

Whether the sharing of data is done by choice or as a necessity, all external suppliers involved with a chain of data must have proven accreditations to do so. This is called shared responsibility.

When choosing a supplier to destroy your data, you should seek proof that they are properly accredited. Here are four main accreditations you should look for:

  • ISO 14001
  • ISO 9001 Quality Management incorporating EN15713
  • BSIA – British Security Industry Association approved member
  • And PCI DSS Level 1 Service Provider Compliance

These accreditations are proof that your external suppliers are certifiably responsible to handle your data.

Why is destruction such an important element in the Chain of Custody?

Chain of custody image

Destruction of data is fundamental for organisations, because without responsible and timely destruction, an organisation puts itself and the data of its clients at risk. Not only is there the financial risk of incurring a GDPR penalty notice, there is also a huge risk of that sensitive information falling into the wrong hands.

Clients expect organisations to proactively protect their confidential information, and businesses can lose loyal customers by not doing so. Identity theft and security breaches regularly make headlines, which can be hugely damaging to the reputation of an organisation.

An increasing trend amongst fraudsters is an activity often referred to as ‘bin raiding’. This is exactly what it says on the tin. Data thieves will go through dustbins and recycling bins and steal documents, electronic devices, memory sticks and more. Even if hard drives are wiped, old information can still be retrieved, and this poses a catastrophic risk to any sensitive data that was once stored on these devices. This puts even more pressure on businesses to make sure the data is not only safely stored, but that the Chain of Custody also includes safe destruction.

If you think your organisation could benefit from the added security of outsourcing safe destruction of sensitive data, here at Shred Station, we are fully accredited. We offer two main shredding services, onsite and offsite. Onsite data is destroyed immediately, meaning a smaller Chain of Custody than our offsite destruction, but both methods are completely secure. We are able to offer a proof of destruction certificate for your Chain of Custody records, and this goes for everything from paper to electronics.


Sign up to our newsletter here to be alerted about brand new articles, data protection advice, and news about Shred Station.