Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

How to destroy data the GDPR way

Written by  Ryan Moore - Guest Contributor May 07, 2019

Businesses now collect and store massive quantities of data. This information currently resides on local PCs and servers, mobile devices and more commonly these days, in the cloud.

However, given that storage trends are continually evolving, there has never been a more important time to have a secure and reliable way to not only locate what data you hold but to also destroy it when needed. This is not just a matter of business security - enough alone to justify a robust strategy - as the regulatory reform brought with GDPR means data subjects now have a right to have their data deleted from a company's systems upon formal request.

This is particularly important today as the falling cost of mass storage has led many businesses to simply keep vast quantities of their information instead of operating a disposal strategy. In fact, Gartner predicts that these data volumes will grow by as much as 800% by 2022.


Data Protection: A Practical Guide to UK and EU law
amazon uk

However, expanding storage capacity isn't a solution to effective data management. At some point, data will have to be erased and destroyed.

Enza Iannopollo, Forrester senior analyst of security and risk, explains to IT Security Centre UK that just because technology facilitates the storage of vast quantities of data, it doesn't mean it's ok to do so.

"We recommend all firms that engage in digital transformation or that are planning to leverage AI or machine learning, in particular, to clear to their teams and third parties when it's fair and lawful to hold on data and when it's not," says Iannopollo. "They should also provide viable mechanisms or guidance on how data must be deleted, and a way must exist to make sure that internal teams, as well as third parties, actually comply with these requirements."

Consumers can now take more control of their personal data, and this includes how and by whom this information is collected and stored. Having a clearly defined system of data erasure no matter where it resides, is now a critical component of every business.

The matter of encryption

Encryption

According to research carried out by Probrand, 70% of businesses do not have an official process or protocol for disposing of obsolete IT equipment.


What's more, 66% of workers admit they wouldn't even know whom to approach in their company to correctly dispose of old or unusable equipment.

Mike Wonham, senior research director at Gartner, tells It Security Centre UK that the problem isn't just that sensitive data is being left on discarded hardware, but that there is often little to no encryption on those devices.

"The real question is about unprotected sensitive data. If the data is properly encrypted using a trusted encryption system, then, to a large degree, the existence of sensitive data is of low risk as the destruction of the password or key renders the data unusable."

"The problem is that this doesn't happen as much as it should, and the BYOD (bring your own device) culture will cause further issues as organisations may have to work harder to control data on those devices," he adds. "As with many security issues, an ounce of prevention is worth a pound of cure - strong policies on mobile device usage, along with technical controls such as CASB (Cloud Access Security Broker) and MDM (Mobile Device Management) to enforce and limit use and protect data, should be used to reduce the risk."


Cloud Computing Security: Foundations and Challenges
amazon uk

As data continues to proliferate, having a detailed policy that defines how data is destroyed, and, just as crucially, managed if it's going to be retained.

"The retention policy is the other side of a destruction policy and determines for the organisation, which data should be kept for what purpose, and for how long. Armed with this information, the organisation can then decide how data of different sensitivities or retention requirements can be used - including where it can be stored, who can access it, and how it may be moved. This level of control will reduce the number of different scenarios which need to be covered by formal data destruction."

Wonham suggests sensible data destruction policies will then determine the "minimum acceptable means" by which data is destroyed, whether that's physical data or electronic data. What's considered "acceptable means" will vary depending on the scenario. These could include throwing away a password key for an encrypted device or the physical destruction of a device or storage medium. It's important to note that regulators will require evidence of this destruction, whether it's done in-house or by a third-party.

"Destruction policies can be, in essence, quite simple," explains Wonham. "More complex is the implementation, as even reasonably small companies will need to track all forms of storage media used by the company in order to destroy data in line with privacy legislation, subject access requests or other retention policy requirements.

"Again, controlling the dispersal of data during its lifecycle will provide more confidence that these requirements are met."

GDPR banner

Maintaining value under GDPR

Perhaps one of the most important tenants of GDPR are the rights to subject access and subject consent. Data subjects have never had as much control over how their information is processed and stored, and these require comprehensive data management strategies to both track and destroy data with confidence when required.

"Organisation need to pay more attention to the data management issues which are driven by external compliance such as GDPR," Wonham explains. "They should look at the lifecycle of the data to determine where they should or should not be used, and how processes can intervene to ensure compliance.

However, Wonham suggests this does not need to be done at the expense of value, unless such value was traditionally obtained in contravention of lax data regulations. "Instead, good data management reduces data proliferation and duplication, and can go some way to reducing cost and friction within the data lifecycle, and not just reducing the risk of non-compliance."


The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection
amazon uk

The future of data destruction

It's this regulatory pressure that will drive security and IT teams to ensure they have better control over data regardless of the device and format that it's stored on. The best way to ensure that control, for both protection and destruction, is to use encryption in its various forms, however businesses should be looking to adopt a wide range of complimentary policies.

"Gartner looks to tools like MDM, CASB, DLP (Data Loss Prevention), and digital rights management, as being a portfolio of methods by which clients can achieve better compliance in a diverse set of endpoint and other storage systems," explains Wonham.

"However, companies need to get a good handle on the what, where, how, who and why of data management first, otherwise the tools will offer much less value. Organisations that take a primarily tool-based approach to compliance with privacy regulations, or even the protection of intellectual property, will struggle to get effective control over data, its use and its protection."

Taking control of destruction

hard disk

There are a variety of techniques that can be used to erase data. Specialist companies can offer degaussing services, where a powerful magnet is used to erase the data from a drive, however, it's also possible to scrub a device using software.

It's vital to match the type of data destruction your business needs to carry out with the needs of the data owner. To help inform this decision, the International Data Sanitization Consortium has a handy infographic that defines the options available.


Cybersecurity Essentials
amazon uk


Did you find this article useful? Comment below or follow us on
Facebook, Twitter or LinkedIn.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Advertisement

Popular News

May 06, 2020 IT Security News

Popular VPNs Exposed Users to Attacks

Researchers analysed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that...

May 22, 2020 Cyber Security

EasyJet will be sued over customer data breach

Legal firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Da...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

May 11, 2020 Cloud Security News

Tips to help secure your cloud data in the UK

In this digital age, it’s not a great idea to trust someone with your sensitive data. ...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

Apr 10, 2020 IT Security News

The importance of security for UK office printers

When it comes to digital security, we tend not to think about printers as they are often seen as dumb devices with a few...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

May 07, 2020 Cyber Security

Three quarters of UK homeworkers haven't received cybersecurity training

As Covid-19-related cybersecurity threats continue to multiply, three in four of home workers are yet to receive any cyb...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 14, 2020 IT Security News

Windows 10 is getting DNS over HTTPS (DoH) support

DNS is one of the last protocols that still runs unencrypted on the Internet. ...

Apr 11, 2020 IT Security News

Tips for testing an IT security experts worth in the UK

There is no shortage of people presenting themselves as security experts. Some of them truly are, the others may or may ...

May 28, 2020 IT Security News

Defence tips to stop a trojan invasion

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to preventing...

Apr 22, 2020 IT Security News

Kaspersky shares 10 security and privacy tips when using Zoom

The recommendations from Kaspersky come following recent concerns regarding Zoom's security and privacy. ...

Advertisement
Symantec Home 120x60

Advertisement