Rise of GDPR - Will On-Site Data Erasure be a Must?

The General Data Protection Regulation (GDPR) has officially gone into effect and many companies are now adopting their data protection and business continuity plans to these new rules in order to avoid the massive fines for non-compliance.  For most companies, these fines can be  life threatening, with up to four percent of the total worldwide turnover, every aspect of the law requires review, and if necessary, a change can take place.

In some countries, such as Germany and France,  no changes have taken place in contrast to the currently active, and strict, data protection laws , but in a lot of countries data protection is a requirement.

A quick summary of GDPR

One of the main aspects of this new law, which will be active in spring of 2018, is to make sure that personal data protection happens. In the new GDPR, the “right to be forgotten” is even more important, which means that if there are no other legal interests by the firm, the companies now must securely delete the personal data of the “data subject.”

There are additional national or international laws which require companies to make sure that personal data or sensitive data concerning partners, business, financial or tax or even security matters do not get into the hands of the wrong individuals. Most of the laws which deal with these matters have strict deadlines regarding what period of time data requires secure deletion.

Because of these laws, a decent data management process plan must cover not only the storage of data within its life cycle, but also cover the end of the lifecycle - the secure deletion or destruction of the data. And this confronts companies with a serious (and costly) question: Should the data destruction be in-house or off-premises?

While off-premises data destruction holds a lot of advantages when deciding to use an external service provider to delete data and physically destroy the storage mediums for the company, in many cases it is not the best solution.

In many cases securely erasing data in house or on-premises is the better, or the only, solution. The reasons for this decision can result both out of security reasons as well as out of legal obligations.

Most common reasons against using off-premises / external data erasure:

1. Several national laws require companies to leave their data on-premises. Personal data should never be public to anyone and most federal organizations in most western countries are forbidden by law to make personal data available to someone outside the department or a specific project. Highly sensitive sectors like energy or finance, have strict laws which protect against criminal, digital or terrorist attacks on sensitive county infrastructures.
2. Companies are afraid that crucial or business sensitive information that is handed over to a specialized data erasure or destruction service provider will get leaked. There have been incidents where this has actually happened when HDDs were not erased properly. And to make things worse, they were sold on an e-commerce platform by a “data destruction specialist.”
3. Firms don’t want to rely on an external data erasure service provider because they can never be certain that the data was not copied and given to a third party beforehand.
4. Companies are afraid that if data is stolen before being securely erased, they can only file a law suit against the service provider. Regardless of the outcome, the company faces not only entrepreneurial damage, but also a great loss of reputation.
5. Companies and the responsible IT administrators have the most knowledge of all the insights of their storage systems and the data stored on them because they deal with it every day. Therefore, many companies see their own employees as the best guarantee that only data is securely erased and destroyed that is supposed to and no mistakes will happen in the process.
6. Companies and the responsible managers want to get the job done and to get a certificate about the data erasure, but also want to have a little bit of control over the process. Data being securely erased and destroyed in a safe and secure manner inside their own premises reduces the chance of data breaches and mistakes. Additionally, a specialist inside the company can offer valuable advice and guidance of would might have been forgotten in the current active data erasure plan of the company.

Not so fast...

But there is a pitfall when erasing data and information on-site: As with every IT process, there is a lot of work to be done before data is gone for good. Maintaining the IT infrastructure, acquiring the erasure software and erasure management software, managing the erasure reports, keeping track of software and hardware updates, etc. And all of that requires time that is most likely needed on other projects.

In many cases it's more efficient and cost-effective to bring a specialized data erasure service provider in house to do the job right.  For example, Kroll Ontrack sends in highly qualified personnel to securely delete unnecessary data from any storage medium available on the market, whether it's to delete data from a LUN on a highly complex storage system or erasing data from hard disks out of a RAID array. The option to reuse the medium after erasure or completely wiping the data from the medium with a degausser can be discussed with your Kroll Ontrack expert to cover your specific needs.

For more information on secure data erasure visit https://

Author:  Michael Nuncic