Contact us: +45 32 67 26 26
English

Secure Data Destruction

Arooj Anwar
By: Arooj Anwar GDPR | 13 January

Your customers and employees trust you with their data but are you doing enough to protect it? Think about once you have collected the data you needed, processed it and no longer need it, where does it end up? The thought of reassessing your current data destruction practices can seem like an overwhelming task. In this blog post I talk about the importance of secure data destruction, the methods available and give you a step-by-step guide on how to make a data destruction policy for your organization. 

What is data destruction?

Data destruction is the process of destroying data stored on laptops, phones, hard drives and other electronic devices. The purpose behind secure data destruction is that once destroyed, data is completely unreadable and cannot be accessed by an unauthorized person. The definition makes it clear that when we talk about data destruction, we are not only referring to the physical destruction of data, which is the process of feeding devices into a large mechanical shredder, but also electronic data that is stored on devices.

Why does data destruction matter?

Deleting old data is not just convenient for organizations but also a legal obligation. After a certain amount of time most data needs to be permanently deleted from computers and systems in order to comply with the principles of GDPR. We rely heavily on data due to its efficiency in business but as with anything, there are downsides to this. Increased amount of digitalized data creates risks for data breaches as sensitive data is under constant threat from cyber criminals.

Processing data in a responsible and sustainable manner is also your moral obligation and showing your employees, customers, and partners that you value their privacy can help you create stronger relationships.  

Data destruction policies and data breaches

Having a data destruction policy can lower the risk of data breaches. Data destruction policies help ensure that data is destroyed according to the GDPR, and this lowers the likelihood of a data breach and saves you a lot of trouble further down the line.

Handling sensitive data

Sensitive data is confidential information that should be handled in accordance with the GDPR. In our daily operations we often handle data of extremely sensitive nature depending on our field of work, for example financial records, personal employee information, medical information etc. If sensitive data is accessed by an unauthorized person, it could result in severe consequences not only on a corporate level but also on an individual level.

Tips for secure data handling:

  • Double check recipients when sending sensitive data

  • Be vigilant about phishing attacks

  • Make sure all portable and personal devices containing sensitive data are password protected

  • When starting a project, make sure to have a plan for the timely deletion of personal data

  • Make sure to only collect the data that is needed, this way you also stay compliant with the GDPR rule on data minimisation
  • Make sure that access to devices storing sensitive data is responsibly managed and reviewed regularly

GDPR and data destruction

Let’s talk about GDPR and the legalities around data destruction. The GDPR does not tell us exactly which type of data destruction method companies should use but the importance of secure data destruction is mentioned within the GDPR. The GDPR classifies data destruction to be a form of data processing, therefore companies must comply with the same set of rules during destroying data as when processing it.

Although, there are no exact requirements several big companies have been fined for breaking the GDPR. To avoid making the same mistakes we recommend getting familiar with what we do know about this GDPR principle. 

Rules set forth by the GDPR:

  1. Companies must implement the correct controls; giving data owners full rights over their data, including the right to have data deleted.

  2. Old data must be deleted securely and without the possibility of retrieving it later.

  3. Companies must appropriately dispose of any physical hardware which may have data stored on it, not just digitalized data.

Data destruction methods 

There are several different methods that you can use to destroy data but none of them are perfect and do not promise complete success. Knowing the difference between them will help you to choose the one that is right for you. 

Shredding - physically destroying electronics

Erasure is a data destruction method used to effectively dispose of data. It is ideal for when you do not want to destroy devices. It works by overwriting hard drives so that the person who uses the device next is not able to access any previously stored data. Erasure is an ideal method to use for laptops, phones, and USB drives. It is cost effective and secure.

Erasure - overwriting hard drives

Erasure is a data destruction method used to effectively dispose of data. It is ideal for when you do not want to destroy devices. It works by overwriting hard drives so that the person who uses the device next is not able to access any previously stored data. Erasure is an ideal method to use for laptops, phones, and USB drives. It is cost effective and secure.

Degaussing - destroying the magnetic field of devices

Degaussing is done through destroying the magnetic field of a storage device. Once the magnetic field is destroyed, the data itself is also destroyed. This method is ideal for destroying sensitive data as it makes sure data is completely unrecoverable. The downside to this method is that the device is no longer usable once the magnetic field is destroyed.

Overwriting - using software to encrypt data

Overwriting is a commonly used method for organizations that wish to dispose of data while still being able to reuse devices. For this method, software tools are used to encrypt the data on devices, making it difficult to decode or recover. This is done by placing unreadable characters over the data. For advanced storage devices, overwriting may not offer hard enough security. This method of data destruction is inexpensive and easy to use but it can be time consuming and unreliable in some cases.

Picture of the risk analysis template

Outsourcing data destruction

Before I get into how you can create a data destruction policy for your company. I would like to briefly discuss the option of outsourcing the data destruction side of things within your organization. As a large organization, you could choose to work with a data destruction company that will do all the work for you.

Things to keep in mind when outsourcing data destruction:

  • Make sure the company you choose to work with provides certification of sanitization, to prove that data has been destroyed. The certificate should cover the type of data destroyed, source of data and the method used.

  • Find out if the company is GDPR complaint. To do this you might want to ask about their processes and how their employees are trained to meet GDPR standards.

  • Make sure the company is insured. If they are not, this could be an indicator that in case of a breach, they may not be prepared to take responsibility.

After doing your research on the company if you still happen to be concerned about sensitive data falling into the wrong hands, your best bet would be to do the data destruction within your organization as this provides the fewest risks for data breaches.

What is the purpose of a data destruction policy?

Companies are collecting, processing, and storing data at ever-increasing rates and do not see much point in getting rid of old data as more data storage space can easily be bought. Most companies do not need and in many cases are not allowed to keep hold of old data. Therefore, having processes in place to guide your employees on data destruction is important, and a data destruction policy allows you to do this effectively.

Secure data destruction for small organizations

Smaller companies might think they are not big enough to attract cyber criminals. Regardless of size all companies collect and store data, which is all that’s needed for cyber criminals to commit identity theft and other crimes. A smaller organization may choose not to make a data destruction policy, but they can still create a strong security culture that encourages awareness and good practice. The GDPR does encourages companies to have data destruction policies however you will not be fined for not having one.

Some key things to keep in mind when making a data destruction policy

  • Make sure your company is compliant with all industry, state and federal regulations.

  • Check that you are aware of your contracts with other companies and their data specifications regarding data destruction.

  • Make sure you comply with the rules set by the GDPR on how long you must keep the data and how that data is to be destroyed.

How to make a data destruction policy?

Now that we have talked about the importance of secure data destruction, the methods and the potential risks related to data breaches, you are probably wondering about how you can create a data destruction policy for your company. As promised, I have made a step-by-step guide for you to follow which will make the process a lot easier.

Where do you store your company data?

So, first things first. Make a list of all the places and devices where data is stored in your office. Some potential data storage methods your company may use are:

  • Computers

  • Phones

  • USB drives

  • Hard drives

  • Paper forms and files containing business information

  • Digital cameras

  • Voice messages

  • Printer and copier hard drives

Who has access to your data?

Next you should make a list of data or devices that business associates have access to. This could be your suppliers, vendors or stakeholders.

Where do you store your company data?

Now it's time to answer the who, what, when where and why questions. For this section, you need to use both lists made previously. Using these lists answer the questions below:

  • What type of device is it? (USB, flash drive or other)

  • How sensitive is the data that is stored on it? Is the level of sensitivity high, moderate, or low?

  • What kind of data is stored on it? Is it employee data, financial or customer data?

  • How are we required to destroy or dispose of the data or device?

  • Who is responsible for destroying it?

  • How often are we required to dispose of the type of data in question?

  • How will we verify that the data is destroyed and not recoverable?

Writing up the final data destruction policy

The final step to creating a data destruction policy is formally writing it down and this may seem like the most difficult step of them all. To make it a little easier I have come up with a list of questions which will hopefully help to create a policy that is consistent and covers all important elements of secure data destruction.

  • How do we carry out the shredding process in our company? Do we have a physical shredding machine available in the office or are we using a service and if so, which?

  • What is the process used for deleting data from each type of electronic device?

  • What are the different types of software tools that we use?

  • How are devices destroyed so that they are no longer usable in the future?

  • Who is responsible for deleting data and destroying devices and how often is this done?

  • How will we verify that data has been securely deleted? For what type of data and when do we need verification? Who is responsible for verification?

  • Who is responsible for the implementation of the data destruction policy and making sure that employees understand it?

  • Who must comply with the data destruction policy and what are the possible consequences in the event of a breach?

Creating a data destruction policy will require some time and effort. However, once it’s in place, you will sleep better knowing that you have significantly reduced the risk of your company being held legally liable for data and security breaches.

The truth is you might not necessarily enjoy the thought of having to construct a lengthy data destruction policy or rethink your habits regarding data destruction but that does not change the fact that data breaches are a real concern, and you should take necessary measures to prevent them.