Staying GDPR compliant when erasing data from company environments
The introduction of GDPR back in 2018 forced organisations to take a good hard look at their erasure policies. GDPR is more than just 'the right to be forgotten'; it also applies to the prevention of data leaks by all enterprises that either does business within the European Union or from outside with an EU company. However, there still seems to be a great deal of confusion in regards to correct data erasure protocols, which is leaving organisations open to data breaches. In this blog, we explore how you can ensure your business remains compliant when erasing data from active environments.
In Article 32 of the GDPR, it states that companies must have "introduced a procedure to maintain regular reviews and evaluations of the effectiveness of technical and organisational measures to ensure the safety of processing of personal data within the company." Ensuring you have implemented a proper procedure is not only valid for data processing but also the selection and procurement process of the IT solutions (both software and hardware) in use.
GDPR: What should have been done?
Every company IT representative should have taken all necessary measures to ensure that no personal data can leak outside the company. Some of the steps that should have been taken according to the GDPR are:
- Pseudonymization and encryption of personal data,
- the ability to ensure the confidentiality, integrity, availability, and resilience of the systems and services related to the processing permanently;
- the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
- a process for periodically reviewing and evaluating the effectiveness of technical and organisational measures to ensure the safety of processing.
Another critical point of Article 32 is:
"In particular, the risks associated with the processing – in particular destruction, loss or alteration, whether inadvertent or unlawful or unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise – must be taken into account when assessing the appropriate level of protection."
In short, Article 32 demands that organisations take all risks into account when using any technology that holds personal data. Before any organisation uses media to keep sensitive data, a responsible employee must complete a data protection impact assessment to ascertain any risks to the (data) rights of individuals.
Any data leaks that occur in a company have to be reported within 72 hours of the leak occurring. If not, the fines are severe and the same as with unauthorised use of personal data: either fines of up to €20 million or 4% of global annual turnover (whichever is greater).
Secure erasure is still an issue
Two years since its implementation, some businesses continue to overlook or forget to erase existing files from desktop computers, laptops, external drives and services. This is often due to a misunderstanding of correct data erasure methods, and a lack of access to effective tools that allow them to erase data in their active IT environments. Many organisations' sensitive data is, therefore, being left in a compromising position and vulnerable to a breach.
For many organisations, data erasure is still not at the top of their IT departments' security priorities; this is not surprising when cyber-attacks have become an unfortunate reality in today's digitally connected world. However, as discussed above, GDPR makes it a legal requirement for organisations to ensure they have correct and secure data destruction practices in place.
Nevertheless, many IT departments are lacking knowledge and education regarding the difference between 'deletion' and 'erasure'. In a study conducted by Blancco - 'Delete vs Erase': How to wipe files in Active Environments it found that over half (51%) of its 400 respondents thought to empty their recycle bin was enough to erase their data from their desktop computers/laptops permanently. Equally worryingly, another 51% considered to perform a quick format or full reformat of their computer's entire drive was sufficient to destroy their data for good.
Without the proper expertise and knowledge regarding data erasure, organisations are putting their sensitive data under risk of potential data breaches.
To help strengthen your organisation's data hygiene and improve its overall data management and data erasure practices, we have put together the below tips to assist you when it comes to sanitising data from an active environment.
Automate active secure erasure
Each user should perform this on their recycle bin upon logging off from the system. By automating this process, your organisation is taking the necessary due diligence steps to confirm the permanent and secure erasure of data and files. Doing this will mitigate any uncertainty or risks regarding erasing data securely from users' laptops or desktops.
Schedule a "shred free disk space" operation
Each laptop and desktop computer owned and used by your organisation should include this step when there are service windows or patches are scheduled. By executing this, you will continuously target lingering application data (as well as other data) that has been improperly or incompletely deleted by a user of the system.
Automatically erase temporary files
Automating the erasure process will ensure it is regularly performing, guaranteeing optimal security. In this way, you can target user data that may have built up and remained in the system, such as the browser cache, where sensitive information may be stored.
Delete locally created and saved user files
Consistently deleting locally produced user files and encouraging your workers to archive their data in a central repository can prevent a possible data breach. This is an ongoing data management struggle that has long vexed IT teams within many organisations.
Authorise "power users" to do active erasures
An often overseen asset to your IT policies is the selection and assigning of a group of "power users" within the organisation that is authorised to perform active deletion of files from the system. They can be instrumental in the security of your company, particularly if individuals are storing sensitive data in the wrong location. The "power users" should target incorrectly stored data and permanently delete it immediately.
Get a certificate verifying file erasure to ensure regulatory compliance
Ensuring you have a certificate and audit trail that proves the secure and permanent erasure of data will mean your organisation can show that it is adhering to data retention policies and regulatory requirements. Erasure Verification Services can help your organisation verify its data erasure strategy.
For more information on erasing data securely from your company environment, contact one of our data destruction specialists.