Essentially, a chain of custody is the audit trail proving all stages of a document’s lifespan. Organisations should keep a trail for every document that contains sensitive information. While it can be an onerous process, it does help organisations prove their GDPR compliance.
The Information Commissioner’s Office (ICO) can call upon organisations at any time to provide evidence of their chain of custody, including details about data collection, control, who the data has been shared with, how the data has been analysed, and how it has been destroyed. From this information, you’ll be able to know – and prove – where your data is stored, how to get these records quickly, and who has been able to access them.
The chain of custody is also applicable to both physical and electronic data, including personal information about consumers such as full names, email addresses, and home addresses. You should also keep a record of the consent given at the time of data collection, and a declaration of how that data will be used.
Many organisations share data with other parties.
For example - an artist is opening their first-ever pop-up gallery.
To attempt to gather data to build their customer database, they may launch a competition on paper slips to win a piece of their work. The artist should, in this situation, process the data on these slips in line with GDPR, then safely destroy the paper forms. For secure and professional destruction, the artist could use an external provider such as Shred Station.
Whether the sharing of data is done by choice or as a necessity, all external suppliers involved with a chain of data must have proven accreditations to do so. This is called shared responsibility. When choosing a supplier to destroy your data, you should seek proof that they are properly accredited.
Some accreditations and memberships you should look for:
ISO 9001 Quality Management
ISO 14001 Environmental Management
BSIA – British Security Industry Association approved member
UKSSA - United Kingdom Security Shredding Association approved member
PCI DSS Level 1 Service Provider compliance.
These accreditations are proof that your external suppliers are certifiably responsible for handling the destruction of your data, and have adequate management systems in place to keep that data safe.
Why is destruction such an important element in the chain of custody?
Destruction of data is fundamental for organisations. Without responsible and timely destruction, an organisation puts itself and the information of its clients at risk. Not only is there the financial risk of incurring a GDPR penalty notice, but there is also a huge risk of sensitive information falling into the wrong hands.
Clients expect organisations to proactively protect their confidential information, and businesses can lose loyal customers by not doing so. Identity theft and security breaches regularly make headlines, which can be hugely damaging to the reputation of an organisation.
A growing trend amongst fraudsters is the act of ‘bin raiding’. This is exactly what it says on the tin. Data thieves will go through bins and steal documents, electronic devices, memory sticks and more. Fraudsters can retrieve information from hard drives even after wiping the data. This poses a catastrophic risk to any sensitive data that was once stored on these devices. Businesses must be sure to store information safely while it's still in use, and destroy it safely, too.
If you think your organisation could benefit from the added security of outsourcing your data destruction, we can help. Shred Station has a long list of accreditations. We offer two main shredding service variations, on-site and off-site. With our on-site service, we destroy data straight away. This means a shorter chain of custody than our off-site destruction, but both methods are fully secure. We will provide a Certificate of Destruction for your chain of custody records. This goes for everything from paper to electronics.
If you'd like to know more, please feel free to give our team a call or submit an enquiry form today.
