Keeping GDPR compliant: Why data erasure continues to matter

The introduction of GDPR in 2018 brought data destruction and erasure strategies to the forefront of corporate strategic thinking. The potential of punitive fines for non-compliance and responsibility now sitting with the senior leadership team, for some organisations, data storage has been firmly at the top of the agenda for several years. But how do you ensure that your organisation is GDPR compliant?

Knowing about the issue and taking pragmatic steps to address it are two different things. The problem is that even today, organisations don’t always know where their data resides, so responding to subject access requests (SARs) for personal information can be a complicated, time-consuming and expensive process. Under Article 17 of the GDPR, organisations must be able to prove that they can erase data permanently and adequately.

Keeping GDPR compliant: How to erase data properly

You should remember that just deleting data or reformatting magnetic media (including hard disk drives and tapes) is not enough to ensure that your organisation remains GDPR compliant and that the wrong personal data does not reside somewhere in the business. When an organisation deletes data from any media type, recovery is possible, even when the hardware has flood or fire damage.

Luckily, there are many software solutions available that completely wipe devices so they can be securely reused, resold or recycled. Some solutions permanently erase  only specific, targeted files, as-well-as more permanent erasure solutions such as degaussing, which takes magnetic tape storage and renders the device completely unreadable (and unusable).

The risks of physical drives

Another significant source of uncertainty is physical drives, which tend to be recycled and reused by organisations seeking to contain the cost of storage. Without using the right data erasure tools and software, organisations cannot be 100 per cent sure of the destruction of their sensitive data from the media they use.

Users are unaware of the risks

In a survey of 2,000 UK consumers, we found that many users are unaware of the dangers presented by not backing up data or by recycling their devices properly. More than one in 10 (11 per cent) admitting they were not sure whether data is permanently deleted when they don't recycle or throw away old mobile phones, tablets or computers.

Only 32 per cent said that they regularly backed up the data on their electronic devices, leaving 68 per cent risking the loss of personal information and many more leaving data on their device when it is lost, damaged, resold or disposed of.

Forensic investigations

The world has seen a proliferation of gadgets, from smartphones to iPads to voice-activated digital assistants, televisions and fridges that can all record and transmit data. Industrial sensors and CCTV cameras also help to produce data so large and complex that a new approach is needed to store, secure and erase upon request by individuals.

Computer forensic experts can use data to make or break a criminal case. An example of such a situation was when prosecutors found that a murdered woman’s Fitbit data did not match her husband’s alibi. From the locations tracked by the Fitbit and the activity monitor, investigators were able to produce a timeline showing that she was not where her husband said she was at the time of her murder.

The case serves to demonstrate that a determined computer forensics expert will be able to recover data from almost every device, in nearly every stage of disrepair. Our many studies over the years into discarded or recycled devices shows a lack of thought is often applied, leaving individuals and the organisations they work for under a severe level of risk.

The GDPR effect

The introduction of the GDPR legislation means companies in both the private and public sectors have to prove that they GDPR compliant. An organisation must erase data in line with the guidelines and show that they are fully accountable for monitoring, reviewing and assessing relevant processing procedures.

All organisations have to show a willingness to minimise data processing and unnecessary retention as well as show they are incorporating safeguards for all data-related activities. For many organisations, GDPR was a great reason to apply best practice management to their data storage strategies.

There are several business benefits to putting an end to end erasure policy in place; these include:

Cost – Data storage, both physical and virtual, is expensive. Being able to erase data securely enables businesses to recycle and reuse storage media without fear of inadvertently placing sensitive data in the hands of others.

Security – Organisations often misunderstand the differences between deletion and erasure. Businesses need to understand that deletion is not permeant, whereas erasure is.

Keeping up to date – The focus on data retention and erasure is not new (PCI DSS, ISO 270001) but as the world becomes more data-dependent understandably the sentiments of more focused regulations are being applied to the broader world. GDPR covers essential aspects like globalisation or modern technological developments, such as Facebook, Twitter, Google+ and other social media platforms. The legislation encompasses new ways of communicating in the digital age – and the subsequent information that’s generated from our interaction with it.

For many organisations, GDPR has been a great reason to apply best practice management to their data storage strategies. Unfortunately, some organisations are still in confusion regarding secure data erasure practices, which is resulting in the leak of sensitive, personal data.

Contacting an erasure specialist such as Ontrack will ensure your organisation has stringent data destruction protocols in place. Without such protocols, your business could face severe fines and damage to its reputation.