Andy McNish – partner in the Commercial team at Davis Blank Furniss – on the hot topic of Data Destruction & what SMEs need to be aware of…

For most businesses, data is king but many organisations are unaware of what the ramifications are if it’s not handled and destroyed properly. Action by the Information Commissioner often relates to the improper destruction of data, so getting it wrong can have serious consequences for your business. Not only can directors and senior managers be held criminally liable but the Information Commissioner also has wide powers to issue large fines or to order your business to cease processing personal data which includes information about customers, suppliers and employees. However, there are some straight forward tips to follow which stop any issues arising:

  • While your business needs the data, ensure access to it is controlled. Basics such as password protected systems, logging access to systems and limiting what can be downloaded onto disks or laptops can all help. Whilst hardcopy data should be stored securely
  • Have an action plan in place for how to react to any security breaches and ensure that such breaches are dealt with swiftly
  • Ensure that you have a clear data protection policy in place that sets out who is responsible for ensuring that data is destroyed when its retention is no longer necessary. This helps to ensure that data isn’t missed by falling between the responsibilities of two people. Responsibility for data destruction should only be given to members of staff with a suitable level of authority
  • Make sure that the policy is followed as there is little point in having one if it’s ignored
  • Where hardcopy information is archived, each file of information should have a destruction date attached to it – this will help make sure that information is only kept for as long as it is needed. As well as being important in data protection legislation, this can also help reduce storage costs and will minimise costs involved in disclosure if your business is involved in litigation at any point
  • Paper documents should be shredded with a cross-cut shredder or incinerated. This can either be done in-house or outsourced, but if you are outsourcing data destruction make sure that you are using a British Security Industry Association accredited service provider (a list can be found at ). You should also have a written contract with your destruction provider which specifies data protection and security standards
  • Make sure destruction policies are applied to electronic information too, including emails as these are easily forgotten
  • When no longer used, computer hard drives and portable media must be properly wiped or destroyed
  • If you have staff who work from home, make sure they are properly trained in how to dispose of data securely
  • Don’t destroy data relevant to ongoing or anticipated litigation as this may damage your case

Share this article

This entry was posted in , , . Bookmark the permalink.