In preparation of GDPR, it is vital that your business has a process in place to securely and responsibly dispose of end of life data assets. Getting a robust process in place and educating your staff is crucial – not only to protect your own business data, but also to protect any data you may process, manage or store on behalf of your clients. An effective IT security system is important for all types and formats of data storage, including that found on handheld devices, hardware, sound recordings and hard copies.
We’re under no illusion, this security is not necessarily a simple process, however by following our 8 tips to securely dispose of your end of life data assets, you should be on the right road to secure and responsible data management.
- Understand Your Data Requirements
Knowing about the data that you and your company acquire allows you to determine the necessary security procedures. This may include the lengths of time that different types of data need to be stored; the duration of time that it needs to be protected; and how sensitive it may be or how to securely destroy data assets. These details will vary between sectors (and even between companies within the same sector), so it is important that you assess this on a personal level, business unit level and corporate level.
- Understand the Threat of Mistreated Data
Many employees still don’t fully appreciate the consequences for the mistreatment of end of life data and not disposing of it correctly. If sensitive business data falls into the wrong hands (either your data or your customer’s data) then you can be set to receive financial penalties from the ICO. But by educating employees of how to securely and accurately dispose of sensitive data, you should be able to significantly reduce the risks of a data breach happening.
- Implement Policies for Data Security and for Data Disposal
If your company doesn’t have a policy for data security and data disposal, then you are seriously increasing the risk of falling victim to a data breach. If no policy is in place, how can your business be enforcing the safe disposal of data assets? Data security and data disposal policies should have a designated employee who is responsible to tailor these to a company’s specific requirements. If you work in the Public Sector, then you are required under GDPR to employ a Data Protection Officer.
- Determine your end of life priorities
If your main priority is to ensure that all end of life data assets are thoroughly destroyed regardless of cost – you will be willing to spend more on the data destruction process. That said, budget is not always made available and priorities can shift from business to business, depending on the data they handle. But under GDPR the Information Commissioners Office will be able to issue penalties of 4% of global turnover, or €20 million – whichever is the greatest. With potential fines like that – can your business afford to skimp on the secure destruction of end of life assets?
- Determine How Drastic the Destruction Process Should Be
If data held on the asset is extra sensitive, you may need to physically destroy the hardware in addition to wiping them. Less sensitive data may not require such thorough action. Regardless of the severity, the best way to protect yourself against negligence is to have a representative from the business witness the destruction of the data asset and ensure a Certificate of Destruction is issued in accordance with the latest industry regulations.
- Educate your Employees
A policy is pointless if no one in your business is aware that it exists, so make sure that you invest time and resource in educating your employees. Ensure that everyone who has a role in processing, managing or storing company or customer data, no matter how infrequently, knows what steps they should do with end of life data assets. Even if employees are aware of the end of life data asset process, they should be educated to understand the risks of a data breach and to ensure that they understand the importance of following the processes with considerable effort.
- Develop a cradle to grave data management policy
Your policy should highlight every aspect of the end of life data asset, from beginning to end. This means that employees (and anyone else that deals with the data) will know precisely what they should do in all situations.
- Regularly Test Your Policy
You should test your policy before its implementation. However, in order to ensure consistent security, you must test and monitor it regularly to ensure employees are still following the processes and re-educate any employees that fall short. It might seem draconian but we prefer to see it as being vigilant.
In general, with end of life data asset security it is important to remember that no two companies will have the same requirements, meaning that you cannot base your policy solely on that used by another company. Determine what is important for your business and regularly update your policy if and when these requirements change.