- HSM
- Shredding
- Other
- Information about data protection
- Professional Groups
- Document shredding in banks
Document Destruction in Banks –
Three Recommendations for Secure and Efficient Processes
Banks still work with a large amount of paper documents. The customer data involved is almost always personal. When these documents are no longer needed, they must not simply be thrown away for data protection reasons. Otherwise, heavy fines may be imposed. This puts banks in a dilemma: how to handle data waste in a time- and cost-efficient way without compromising security.
These three recommendations help optimize the processes related to document destruction:
1. Do not outsource the bank’s document destruction to a service provider
2. Select document shredders with the appropriate security level for the bank
1. Do not outsource the bank’s document destruction to a service provider
Many banks outsource the destruction of sensitive documents to service providers for supposed cost and efficiency reasons, once the statutory retention periods have expired or the data is no longer needed for other reasons. However, in the event of a data protection breach, the bank remains liable under the GDPR even if the disposal is carried out externally. This applies even when the fault clearly lies with the service provider. The risk of such a breach also increases with every additional step these sensitive documents go through before disposal. Furthermore, the effort involved in document destruction cannot simply be fully outsourced. For example, under the GDPR, the bank is obliged to regularly check whether the service provider complies with the contract. External disposal also causes recurring costs that are often underestimated. Therefore, it is not only safer but usually also more efficient and cost-effective for banks to destroy documents in-house and invest in suitable shredders.
2. Select document shredders with the appropriate security level for the bank
When purchasing document shredders for banks, make sure they comply with at least security level P-5 according to ISO/IEC 21964 (DIN 66399). This is the only way to ensure that even highly sensitive documents are destroyed in compliance with GDPR.
When selecting suitable devices, the expected volume of data that needs to be regularly disposed of in the bank should also be taken into account, and models with appropriate performance should be chosen. Equipment is another important criterion: Many shredders can now destroy not only paper but also other media, such as electronic data carriers, in compliance with data protection regulations. Suitable devices ensure efficient document destruction processes because they cover all necessary functions.
3. Equip the bank with a sufficient number of document shredders
If documents that are no longer needed are stored in the bank for a long time or moved from one department to another, the risk increases that they may be viewed by unauthorized persons—intentionally or by mistake—or disposed of incorrectly, with all the data protection consequences.
Banks should therefore optimize their processes so that as few people as possible have access to such data. It is recommended to provide one document shredder per office in the back office, or at least one on each floor. This way, documents that are no longer needed can be destroyed immediately in compliance with GDPR. This makes internal document destruction processes safer, reduces coordination efforts, and ultimately requires less storage space.
