The Four Compliance Profiles of Shredding Services (and which to avoid)
When a client hires a service like Shred America to destroy old documents and hard drives, that client is fulfilling their legal and regulatory obligation to protect sensitive information.
Because of these regulatory implications, (and because clients are held responsible for the compliance of their shredding service), this blog categorizes the 4 typical compliance strategies prevalent in the secure shredding industry and recommends how clients should respond.
_________
In backwards order, from riskiest to the safest, they are:
Category 4: (Highest risk) No compliance strategy whatsoever.
Category 3: (Risky) Fain regulatory compliance without verification.
Category 2: (Safe) Aware of their regulatory standing, and clearly demonstrate their compliance.
Category 1: (Safest) Possess a superior regulatory acumen and serves as an authoritative regulatory compliance resource for their clients.
(If you guessed that Shred America is in Category 1, you’re right. Reading this will explain what that means for our clients.)
__________
Category 4 (Highest risk): No compliance strategy whatsoever.
These secure shredding firms are clueless about their regulatory standing and obligations as Data Processors. In fact, when pointedly asked if they are data processors, Category 4 service providers either have no idea or argue that they are not. Remember, any service provider that has access to personal information is technically a Data Processor and it is their clients’ responsibility to make sure they are compliant. Obviously, since they are clueless about their regulatory standing, the only possible course of action is to move on.
Recommendation: If you’re using such a service provider, stop ASAP. You’re not getting what you’re paying for and you’re putting your organization at risk. In the event you have a contract with them, their lack of compliance is more than enough justification to terminate it.
On the other hand, if you’re still looking, you’ve got more work to do.
Category 3 (Risky): Fain regulatory compliance without offering the necessary proof.
Category 3 secure shredding services have some idea of their regulatory standing, but instead of taking the appropriate steps to address their obligations, their websites and representatives often use misleading or meaningless claims to make it falsely appear as if they are doing everything right. And, because their compliance is usually a pretense, Category 3 service providers are unable to obtain a legitimate third-party certification. Since none of the legitimate certifications are prohibitively expensive, there is no justifiable reason for any secure shredding service not to achieve at least one of them. Of course, falsely claiming such certifications is one of the tricks of these pretenders, so it is always important to verify that such claims are valid.
Recommendation: If you’re using a Category 3 service provider, stop ASAP. Their deceptiveness speaks to a lack of integrity. Terminating a contract based on their deceptive practices will not be a problem.
Again, if you’re currently looking for a service provider, you’ve got more work to do.
___
At this point, readers may be wondering how Categories 3 and 4 stay in business. The answer is that, unfortunately, there are still plenty of clients who are unaware of the regulatory obligations and are simply too trusting. If all clients understood their vendor selection due diligence requirements, Categories 3 and 4 would be out of business tomorrow. Caveat Emptor!
____
Category 2 (Safe): Aware of their regulatory standing, and clearly demonstrate their compliance.
The only practical strategy for determining if a secure shredding service meets this threshold is to verify that they hold a legitimate, audited, third-party certification. These include NAID AAA certification for paper shredding and electronic media. ADISA and e-Steward certifications apply to electronic media and R2v3 certification is also acceptable for electronic media, provided the holder has the additional data security component. As mentioned before, certification claims should always be verified.
Recommendation: If the option to work with a Category 1 secured shredding firm is not available, the selection of a legitimately certified service provider is a safe (legally defensible) choice.
Category 1 (Safest): Possess a superior regulatory acumen and serves as an authoritative compliance resource for their clients.
These companies, Shred America included, represent the rarest compliance profile of all. They currently consist of only a handful of secure shredding services who have engaged a highly qualified data protection and privacy officer (DPO) to oversee their own and their clients’ regulatory compliance. This is vastly different from the typical shredding service that may appoint a compliance manager from among their existing employees with no credentials or other evidence of any regulatory expertise. Companies like Shred America have found that the extent of the DPO’s experience and qualifications is directly related to their ability to maintain their own compliance and to be able to assist the client in maintaining theirs.
