How to prevent EU penalties for not deleting data
Penalties for not complying with EU rules are now more severe. How can companies ensure they secure erasure of data they aren’t allowed to possess anymore?
No room for complacency
Thanks to the new GDPR regulation, everyone from third-party erasure companies to IT staff will be legally obliged to securely erase data when the company is doing business inside or with a company which resides inside on of the EU member states.
Before they can follow guidelines, however, organisations must review their policies and be fully educated on the new law coming into effect. There are currently many independent events and congresses which are being used to educate IT and company leaders about the regulations, so there’s no excuse for ignorance. After education comes the important task of comparing current processes with new regulations and requirements.
Companies must adjust existing policies, processes and tools to meet new requirements, and to work with third-party companies that also know what’s expected from them by the new EU legislation.
How to permanently erase data
There are many erasure options available, and depending on the type of physical device the data is being erased from, it will make sense to choose one method over another:
Hard disk drives (HDD)
There are so many different data storage types and they require different methods for wiping out data. For example, with HDDs, a degausser can be used to permanently erase data. It works by demagnetising HDDs, tapes, or any other magnetic media, thereby wiping data completely.
Companies can also choose eraser software that removes all data from HDDs, including both server and single drives. If eraser software is used, the hard disks can be reused.
Solid State Drives (SSDs)
Erasure on SSDs is a trickier process. Unlike magnetic discs, SSDs store data electrically and apply complex data management schemes to disburse data across the memory. Furthermore, an SSD flash controller contains software modules that are hidden from the view of the operating system and the user. There is also no standard SSD format, which means that erasure procedures for SSDs vary by brand and model.
Traditional erasure methods present different risks to SSDs. For example, degaussing might work for HDDs, but SSDs use integrated circuits to store data and are electrically programmed and erased. A magnetic field will be ineffective at wiping out data. Physically destroying SSDs to wipe out data is also not advisable because skilled IT professionals can still recover data from flash chip fragments.
Unfortunately there is no publicly available single software tool that can securely erase data from every type of SSD or flash media; nor is there any way of knowing if the data has been successfully erased without verification from a third party expert.
If companies wish to remove sensitive data on an SSD and don’t want to use data erasure services, they should at least use software encryption from the first day of deploying the disk. By doing this, companies can then wipe out any remaining data with a cryptographic erase option by simply deleting the encryption key.
Once this procedure is completed, companies can use physical destruction, such as shredding, to permanently destroy the disk. If there are still concerns that the data may remain on the disk, the best option is to contact a data erasure company for a final verification of the erasure procedure. A good data expert will provide unbiased testing to ensure the effectiveness of the data erasure and the required validation to prove it.
Big Data / In-Memory System i.e. SAP HANA
In-memory systems are built using a specialised architecture, which combines traditional hard drives and flash memory as mass storage. This means that erasing a system large enough to withhold Big Data (i.e. after a proof of concept with a SAP HANA installation) is complex due to the system architecture. The individual storage devices cannot be deleted within the server, as data is consistently exchanged between the mass storage and the system cache.
Therefore, both the HDDs and the flash cards must be removed from the in-memory system and deleted externally, so that a secure, standardised environment is guaranteed to delete all data. Subsequently, the individual drives can be completely erased by repeated overwriting.
The most commonly used approach to securely erase tapes is by shredding them or using a degausser where the extremely strong electromagnetic field causes all magnetic structures to be destroyed on the tape. When companies are trying to destroy data, it’s important that they remember their legacy tapes as well. Indeed, legacy tapes contain a lot of data that are difficult to permanently remove unless they are also degaussed or shredded.
For more information on the different techniques which ensure the permanent deletion of data from computers and other electronic devices beyond any possible recovery I recommend you check out this ebook.
There’s no reason why any company should be caught out in the cold when dealing with the extended data security rules as implemented in the new EU’s legislation even if your company is not a member of the EU or your country has decided to leave it in a public vote. The fines will be severe if caught not applying to the new rules. The knowledge and expertise to erase data is available and can prevent companies from future data breaches and serious legal penalties – arguably more difficult problems to overcome than the challenge of wiping out data.