The General Data Protection Regulation (GDPR) will apply from 25 May 2018, when it supersedes the UK Data Protection Act 1998 and many companies have already adapted their data protection and business continuity plans to meet these new rules in order to avoid potentially huge fines for non-compliance. For most companies, these fines of up to 4% of global turnover would cause significant commercial and reputational damage, meaning every aspect of the GDPR has to be checked and where necessary to be changed to meet the new regulations
One of the main elements of this new regulation, which will apply from May 2018, is to ensure that personal data protection is accomplished. In the new GDPR, the “right to be forgotten” is even more enforced, which means that companies now must – if there are no other legal interests by the firm – securely delete the personal data of the so-called “data subject.”
There are additional national or international laws which require companies to make sure that personal data or sensitive data concerning partners, business, financial, tax or security matters do not get into the hands of non-authorized individuals. Most of the laws which deal with these matters have strict deadlines regarding what period of time data can – and must be – securely deleted.
Because of these laws, a robust data management process plan must cover not only the storage of data within its lifecycle, but must also cover the end of lifecycle – the secure deletion or destruction of the data. This confronts companies with a serious (and costly) question: Should the data destruction be done in-house or off-premises?
Whilst using an external service provider to erase data and/or physically destroy the storage mediums for the company off-premises may seem commercially it brings with it inherent risk and, in many cases it is far from being the right solution.
In most cases securely erasing or destroying data in house or on-premises is the better, or the only, solution. The reasons for this decision can result both out of security reasons as well as out of legal obligations.
These are the most common reasons against using off-premises/ external data erasure:
- Several national laws require companies to leave their data on-premises. Personal data is never to be made public to anyone and most federal organizations in most western countries are forbidden by law to make personal data available to someone outside the department or a specific project. Highly sensitive sectors like energy or finance, have strict laws which protect against criminal, digital or terrorist attacks on sensitive county infrastructures.
- Companies are afraid that crucial or business sensitive information that is handed over to a specialized data erasure or destruction service provider will get leaked. There have been incidents where this has actually happened when HDDs were not erased properly. And to make things worse, they were sold on an e-commerce platform by a “data destruction specialist.”
- Firms don’t want to rely on an external data erasure service provider because they can never be certain that the data was not copied and given to a third party beforehand.
- Companies are afraid that if data is lost or stolen before being securely erased, they can only file a law suit against the service provider. Regardless of the outcome, the company faces not only entrepreneurial damage, but also significant reputational loss
- IT Managers and Data Controllers need to ensure that the data is destroyed correctly and certified appropriately and with “witnessed destruction” now forming part of many companies end of lifecycle management process they could consider trying to do it themselves.
But there is a pitfall when erasing data and information on-site: As with every IT process, there is a lot of work to be done before data is gone for good. Maintaining the IT infrastructure, acquiring the erasure software and erasure management software, managing the erasure reports, keeping track of software and hardware updates, etc. And all of that requires time that is most likely needed on other projects.
In many cases it’s much more time efficient and cost-effective to bring a specialized data erasure / data destruction service provider to carry out that work. For example, Euro as a National Cyber Security Centre (NCSC) Accredited Service Provider sends in highly qualified and trained & Security Cleared personnel using approved tools and software, following strict method statements, processes and procedures to audit, securely erase or physically shred unnecessary data from any storage medium available on the market. Whether it’s to delete data from a LUN on a highly complex storage system or erasing data from Hard Disks out of a RAID array or shredding Solid State Drives or other forms of removable Media at 6mm particles as recommended guidance by NCSC.