The General Data Protection Regulation (GDPR) includes two caveats regarding the disposal of personal data. The first is Principle 5; which states that businesses should only keep data for as long as necessary. This means promptly disposing of data when the original purpose for processing has expired.
The second requirement is defined in Article 32 which defines “Security of Processing.” The term “processing” refers to a broad range of activities across the data lifecycle including erasure, destruction and disposal; so businesses will need to follow a clear risk-based methodology in order to minimise the risks of data breach.
Any business that determines the process and means of processing personal data is considered to be a “Controller.” The business itself may act as “Processor,” or this responsibility may be outsourced.
Personal data may be recorded in paper and digital formats. The importance of reliable destruction and disposal at the end of data and hardware lifecycles is often overlooked. Throwing away or attempting to damage data carriers, as a means of secure disposal, has never been an advisable practice.
Failure to comply with data protection regulations now carries the risk of much heavier fines. Both the Controller and the Processor are accountable for security of processing of data, data carriers and hardware. GDPR recommends that businesses follow international standards and industry best practices in order to demonstrate and ensure secure disposal.
Accredited ITAD (IT Asset Disposal) specialists can help businesses demonstrate a commitment to best practice, through the delivery of disposal services based on international security standards – and the provision of audit reports as evidence of secure processing.
How can you securely dispose of data?
Depending upon the nature of personal data processed by the business, consideration should be given to the following:
• Hardcopy paper and digital personal data records need to be secure erased and destroyed; via paper shredding or data erasure and shredding respectively
• Data carriers and hardware should be securely destroyed at end of life
• Asset Tags should be removed from hardware prior to disposal
• Contractors should be audited to ensure that their methods of data destruction and disposal are compliant with GDPR
• Controller and Processor Service Level Agreements should clearly define secure processing and disposal activities and responsibilities
• On site data erasure and destruction helps ensure that all data has been destroyed before removal from site, mitigating the risk of data breaches
• Destruction methods such as data erasure, degaussing and shredding should be completed in line with recognised industry standards
• Data carriers and hardware should be audited prior to destruction
• Audit reports should be maintained to demonstrate secure disposal
Galaxy CI are accredited against ISO 9001 Quality Management and BS-EN 15713 Secure Destruction of Confidential Materials. We also operate a zero-to-landfill policy and recycle all shredded materials after the secure destruction of data.
We can tailor a service to meet your business’ needs. Please get in touch for a free quote, or to talk through any specific requirements you may have with regards to erasure, destruction and disposal.