Data Erasure: GDPR and Erasure Verification Services

With just weeks left until the European GDPR regulation gets into full effect on May 25th and fines up to 4% of the global annual turnover for companies and organization who do not comply to the rules, managers should check if they are able to securely erase data and files on demand, when ordered.

Remember: In article 17, the GDPR introduces a new right for individuals to have their personal data erased by your company!

This new "right" is also known as the "right to be forgotten" Any individual can make a request to a company or organization that his data must be erased either verbally or in writing. The company has only one month to respond to this request.

If this request of an individual is justified, for example when the enterprise holds personal data which is no longer necessary for purpose it was originally collected or processed for, it has the duty to securely erase this data.

As we have pointed out in many blog posts over the last years Ontrack, as well as Blancco provide several secure data erasure solutions which rely on the most advanced technologies to erase files and data from HDDs, SSDs, RAID systems, mobile or any other device.

However, even if you have securely erased the personal files wherever they might have been stored, for a company this is only half of the job. Regarding GDPR and its huge fines, you and your company should be able to prove later on – and even after months – that you did so properly.

To address this problem you have two possible solutions: Either you purchase a solution that you implement in your overall IT system architecture, which prints out a verification, that you can later use a piece of evidence or you choose this way:

You can make use Ontrack Erasure Verification Service. As the leading data recovery services provider, which also offers secure erasure services you can let their experts check and verify, that all of the respective personal data is securely erased.

In short regardless if employees of your company or a third party provider has erased the data on your media, Ontrack searches and analyses all media types looking for remnants of user data on the devices.

Normally before a customer erases the personal data on the device it will be prepared for secure erasure by writing known specified data patterns prior to the deletion. This can be done by the customer or by the Ontrack experts. In a second step the erasure process is performed. Again either by the firm or Ontrack. After the secure erasure took place, an in-depth-analysis is performed, which will show, if any remnants of data still exists on any portion of the media, including user data, bad/defective blocks, spare pool data or else. Finally a detailed report is being created and delivered tot he customer which provides all the information of the process that was used to prepare, sanitize and analyse the device. Which this report at hand, you can prove that the erasure process was done technically proper and no personal files can be recovered later on.

The verified erasure service was already used in many circumstances regardless of new need because of the GDPR. Some companies have used it for example to prove to their customers that they their build-in-tools can erase sensitive data from End-of-life/lease high end severs for good. In one case in 2015 NetApp turned to Ontrack to validate the Disk Sanitization feature of NetApp® Data ONTAP® software on a FAS2240 storage controller with internal HDD/SSD storage. Ontrack proved that 100% of data on that system was securely erased and no recovery of any data was possible.

In the same year Micron, a producer of Memory Modules and SSD Storages, wanted to prove if their own erasure tools that they provided to their customers were effective and no data could be recovered. Again Ontracks Erasure Verification Service proved them right. And last and not least, IBM contacted Ontrack to perform an Erasure Verification Service for an IBM FlashSystem 900 for a client and the storage proved also to be clean from old user data.

While the last examples were companies that wanted to prove that their devices were cleaned from all client data and all took place in the United States, the need for Ontrack Erasure Verification Services is now with GDPR in near sight not only an American issue, not even an European topic, but a global one, since the new regulation is valid for all companies that do business within or with a European country and that will most likely be the majority of firms nowadays. Therefore relying on a solid and proven service, that already won the Storage Visions award in 2015 for Erasure Verification Services, is the safest way to prove secure personal data erasure and be compliant with GDPR.