How to get data destruction right under GDPR
When your business last disposed of its computers, were you sure all the data stored on them was safely and securely destroyed?
Businesses now collect and store massive quantities of data. This information currently resides on local PCs and servers, mobile devices and increasingly, in the cloud.
However, given that storage trends are continually evolving, there has never been a more important time to have a secure and reliable way to not only locate what data you hold but to also destroy it when needed. This is not just a matter of business security - enough alone to justify a robust strategy - as the regulatory reform brought with GDPR means data subjects now have a right to have their data deleted from a company's systems upon formal request.
This is particularly important today as the falling cost of mass storage has led many businesses to simply keep vast quantities of their information instead of operating a disposal strategy. In fact, Gartner predicts that these data volumes will grow by as much as 800% by 2022.
However, expanding storage capacity isn't a solution to effective data management. At some point, data will have to be erased and destroyed.
Enza Iannopollo, Forrester senior analyst of security and risk, explains to IT Pro that just because technology facilitates the storage of vast quantities of data, it doesn't mean it's ok to do so.
"We recommend all firms that engage in digital transformation or that are planning to leverage AI or machine learning, in particular, to clear to their teams and third parties when it's fair and lawful to hold on data and when it's not," says Iannopollo. "They should also provide viable mechanisms or guidance on how data must be deleted, and a way must exist to make sure that internal teams, as well as third parties, actually comply with these requirements."
Consumers can now take more control of their personal data, and this includes how and by whom this information is collected and stored. Having a clearly defined system of data erasure no matter where it resides, is now a critical component of every business.
The matter of encryption
According to research carried out by Probrand, 70% of businesses do not have an official process or protocol for disposing of obsolete IT equipment.What's more, 66% of workers admit they wouldn't even know whom to approach in their company to correctly dispose of old or unusable equipment.
Mike Wonham, senior research director at Gartner, tells IT Pro that the problem isn't just that sensitive data is being left on discarded hardware, but that there is often little to no encryption on those devices.
"The real question is about unprotected sensitive data. If the data is properly encrypted using a trusted encryption system, then, to a large degree, the existence of sensitive data is of low risk as the destruction of the password or key renders the data unusable."
"The problem is that this doesn't happen as much as it should, and the BYOD (bring your own device) culture will cause further issues as organisations may have to work harder to control data on those devices," he adds. "As with many security issues, an ounce of prevention is worth a pound of cure - strong policies on mobile device usage, along with technical controls such as CASB (Cloud Access Security Broker) and MDM (Mobile Device Management) to enforce and limit use and protect data, should be used to reduce the risk."
As data continues to proliferate, having a detailed policy that defines how data is destroyed, and, just as crucially, managed if it's going to be retained.
"The retention policy is the other side of a destruction policy and determines for the organisation, which data should be kept for what purpose, and for how long. Armed with this information, the organisation can then decide how data of different sensitivities or retention requirements can be used - including where it can be stored, who can access it, and how it may be moved. This level of control will reduce the number of different scenarios which need to be covered by formal data destruction."
Wonham suggests sensible data destruction policies will then determine the "minimum acceptable means" by which data is destroyed, whether that's physical data or electronic data. What's considered "acceptable means" will vary depending on the scenario. These could include throwing away a password key for an encrypted device or the physical destruction of a device or storage medium. It's important to note that regulators will require evidence of this destruction, whether it's done in-house or by a third-party.
"Destruction policies can be, in essence, quite simple," explains Wonham. "More complex is the implementation, as even reasonably small companies will need to track all forms of storage media used by the company in order to destroy data in line with privacy legislation, subject access requests or other retention policy requirements.
"Again, controlling the dispersal of data during its lifecycle will provide more confidence that these requirements are met."
Maintaining value under GDPR
Perhaps one of the most important tenants of GDPR are the rights to subject access and subject consent. Data subjects have never had as much control over how their information is processed and stored, and these require comprehensive data management strategies to both track and destroy data with confidence when required.
"Organisation need to pay more attention to the data management issues which are driven by external compliance such as GDPR," Wonham explains. "They should look at the lifecycle of the data to determine where they should or should not be used, and how processes can intervene to ensure compliance.
However, Wonham suggests this does not need to be done at the expense of value, unless such value was traditionally obtained in contravention of lax data regulations. "Instead, good data management reduces data proliferation and duplication, and can go some way to reducing cost and friction within the data lifecycle, and not just reducing the risk of non-compliance."
The future of data destruction
It's this regulatory pressure that will drive security and IT teams to ensure they have better control over data regardless of the device and format that it's stored on. The best way to ensure that control, for both protection and destruction, is to use encryption in its various forms, however businesses should be looking to adopt a wide range of complimentary policies.
"Gartner looks to tools like MDM, CASB, DLP (Data Loss Prevention), and digital rights management, as being a portfolio of methods by which clients can achieve better compliance in a diverse set of endpoint and other storage systems," explains Wonham.
"However, companies need to get a good handle on the what, where, how, who and why of data management first, otherwise the tools will offer much less value. Organisations that take a primarily tool-based approach to compliance with privacy regulations, or even the protection of intellectual property, will struggle to get effective control over data, its use and its protection."
Taking control of destruction
There are a variety of techniques that can be used to erase data. Specialist companies can offer degaussing services, where a powerful magnet is used to erase the data from a drive, however, it's also possible to scrub a device using software.
It's vital to match the type of data destruction your business needs to carry out with the needs of the data owner. To help inform this decision, the International Data Sanitization Consortium has a handy infographic that defines the options available.