- Security TWENTY
- Women in Security
Secure data destruction and disposal continues to be one of the biggest risks to businesses, writes Laura Cooper, pictured, Client Services Director for DataRaze, an on-site data destruction services company.
Many businesses outsource their asset disposal to specialist, third party IT Asset Disposal firms (ITADs) to ensure regulatory compliance, mitigate any risk and free up business resource. For many of these businesses, secure data asset management, disposal and destruction fall outside of its core business remit – and it can be argued that the legislation surrounding asset disposal makes the process too complex for them to manage internally.
While outsourcing the responsibility of data asset management and data asset disposal enables these businesses to focus on what they do best, this practice is quickly becoming unsustainable. With the General Data Protection Regulation (GDPR) inching ever closer, businesses will need to reconsider the current approach to outsourcing their secure asset disposal. With data breach fines set to double in some cases, businesses must ensure that they have a clear audit trail and proof of data destruction to protect themselves against these large fines.
Proof of data destruction – why is it so important now? Under the current Data Protection Act, it is the data controller – not the processor – that is directly responsible for ensuring complete compliance with current data protection laws. The data controller determines the purposes for how personal data is used and processed. The data processor on the other hand, is anyone who processes personal data on behalf of the data controller.
In the case of outsourcing secure asset disposal, the data controller is the business outsourcing its data assets – and the processor is the ITAD. However, under GDPR, both the controller and processor are held equally accountable. This joint liability now means that both the business and the ITAD are responsible for the secure destruction of data assets. GDPR also requires any business that controls or processes data has detailed records of its processing activities.
Clearly, with the joint liability rules and the need for detailed documentation on how data is managed, processed and destroyed, businesses and ITADs alike will need to develop a transparent and unified view on how they manage secure asset disposal and how they verify that the data asset was destroyed in line with the regulations.
Top down approach
Businesses and ITADs need to approach data protection and disposal initiatives from the top down, way before data assets have even been flagged for destruction. Those at the top of each business need to lead the charge, informing and educating employees on the importance of robust and comprehensive data management processes. Failure to do so will make widespread adoption of GDPR-related data management policies and processes very difficult.
Once everyone in the business has a clear view of how to approach data destruction, the next questions to be asked are: Who has access? Who controls it and where does it go? These questions need to be answered on both sides. This is where the use of technology plays an important role to ensure accurate records relating to the data assets are continuously up-to-date, the destruction of the asset is documented and that a data controller has oversight of the data assets being destroyed.
Having a thorough understanding of these elements will enable businesses to build a detailed audit trail, highlighting every step of the process, from flagging data assets for disposal, to retrieval, to destruction. While the penalties and impact of GDPR are yet to be proven, the security risk associated with failing to manage data throughout its entire lifecycle is significant.