In the first part of this two-part series, we talked about the importance of having a solid physical destruction program.
In this part, we’ll discuss how to set up your process from top to bottom and ensure you’re working with a trusted partner. Additionally, we’ll answer some common process questions about how to handle different aspects of the physical destruction process.
What is NAID Certification and Why is it Important?
The National Association for Information Destruction (NAID) AAA Certification is the most important thing to check for when it comes to working with a partner on secure destruction.
This certification “verifies secure data destruction companies’ services’ compliance with all known data protection laws through scheduled and surprise audits by trained, accredited security professionals, fulfilling customers’ regulatory due diligence obligations.”
Any time you’re managing the destruction of information, do your due diligence and ensure that the secure destruction partner you’re working with abides by appropriate security standards.
How to Choose and Vet a Potential Partner for Secure Destruction
Once you’ve narrowed down your list of potential secure destruction partners, ask for a tour of their facility to make sure you’re comfortable with their level of security.
While you’re there, ask yourself if you feel comfortable with how they’re handling the process. It will go a long way for peace of mind when you’re sending confidential information to their facility to be destroyed.
Be sure to ask lots of questions, even if it seems like common sense, such as:
- Is there video surveillance tracking every step of the destruction process throughout the facility?
- Do they keep all footage for 90 days?
- How do they ensure a secure chain of custody?
- Do they keep logs of everyone that comes into the facility?
- What are their contingency plans? Who do they work with if something breaks?
For more questions you should ask your information management partner, check out our guide From Vendor to Partner.
From the Box and Beyond: It’s About Dang Time! Simplifying Event-Based Retention
Join us in our next Access Corp. webinar as we take a look at this critical compliance issue and discuss how you tackle this complex problem and mitigate the risk of substantial penalties.
An Inside Look at a Shredding Facility
Managing the Physical Destruction Process
Shredding Everything vs Selective Shredding
Is it better to just shred everything or have employees sort through documents to determine what needs to be shredded and what doesn’t? The key is to keep the process as simple as possible. Protecting confidentiality is the most important thing here, so using a “shred everything” policy will ensure you are protecting your organization from broken confidentiality, lawsuits, and breaches of confidence.
On-Site vs Offsite
On-site destruction does have the advantage of peace of mind. However, “If you’re not required to witness the destruction” notes Andrew Garner, VP of Shredding at Access, “there is no sense in having things destroyed on-site.”
On-site shredding services often present logistical issues. Mobile shredding vehicles are large and loud and need to stay in a loading dock for at least half an hour at the minimum. The other issue is cost. “On-site shredding will always be more expensive,” Garner says.
There’s also the matter of working with a single partner for your information management needs. If you’re working with the same partner for both secure destruction and off-site storage, it makes little sense to have the added expense of on-site shredding. The vendor can simply destroy records and information that have reached the destruction date at the same facility they were being stored in.
Scheduled vs On-Demand Service
Routine service has many advantages.
For one thing, on-demand service is usually more expensive as there are more inefficiencies, fuel, and labor costs. It can be challenging for a vendor to promise next-day service, which leads to frustration.
Likewise, it speaks a lot to auditors when you can say “our secure destruction vendor comes every two weeks” as opposed to “they come whenever”.
The goal for both the client and the secure destruction partner is to always be picking up full bins. This can be achieved by working with your partner on creating an effective schedule and having the appropriate number of containers for your facility’s needs.
Overhauling the physical destruction portion of your information management program can mitigate risk and protect you from costly lawsuits.
However, by itself, it isn’t the solution to protecting and managing information efficiently. That requires an integrated information management program that covers the entire lifecycle. Learn how you can get started building a comprehensive program today.