We live in a digital world. Irrespective of how often we interact in a physical sense with people, places and things, the simple truth is that life has become digitized. And the driving force behind the digital transformation is data.
A constant drip-feed of media reports that focus on the malicious parties that sit in the shadows waiting to grab our data has forced companies to take stock of how they look after collected data, especially when it becomes time to securely delete files. To put it more simply, erasing data effectively is now as important as data storage.
Collection Takes Precedence Over Disposal
The problem is that companies are not often not prepared to dispose of data in the same careful manner that they harvest it in the first place. An excellent example of this is a predicted mad scramble by companies to comply with the European Union's General Data Protection Regulation (GDPR) before it takes effect on May 25, 2018.
In simple terms, GDPR requires any organization, including those providing business-to-business and business-to-consumer products or services, that processes personal data from a natural EU citizen to be compliant with a set of rules and requirements. When you take into account the nature of the connected or digital society, then GDPR (in theory) could have a very long reach.
The general consensus among legislators, lawyers and people familiar with the requirements of being GDPR compliant is that most businesses are leaving it late to put data security and potential protection and disposal policies in place. And those businesses might get a nasty financial shock if they are found to be non-compliant after the regulation takes effect.
"It's not just fines that you should worry about, but stock value, potential class action and customer trust, for example. This isn't to throw more fear at you like everyone else, but to offer a little dose of reality," wrote Ed Tucker, the chief information officer of DP Governance, in an op-ed for Computer Weekly. "You are not going to prevent every attack or mishap imaginable, and nor should you aspire to, but can you demonstrate reasonable measures in the safeguarding of that data? Can you protect the value of that data to your organization? Your corporate objective is therefore not to map to the law, but to protect data."
Non-Compliance Can Have Consequences
The legislation was adopted in 2016 to provide EU residents with both more control over their collected data and address the export of data outside the EU by global companies, but it seems to be a no-brainer that data protection should be at the top of the list regardless. GDPR even spells out what companies should be doing with data, recommending that they appoint a data protection officer and be accountable for any and all data breaches.
Despite being given more than two years to get ready by the EU, the sad truth is that complying with GDPR appears to have been put on the back burner.
CRN.com reported that a survey of over 1,600 global organizations by U.S-based threat management appliance manufacturer WatchGuard found that a significant number of companies were months away from being GDPR-compliant. The survey said that;
- 37 percent of respondents did not know if they needed to comply with GDPR or not
- 44 percent of companies had no idea how close they were to being compliant
- 51 percent of respondents said they would need to make significant changes to existing IT infrastructure
- 48 percent of companies said they would outsource the compliance requirements
- 65 percent of respondents believed that a data protection officer was mandatory
- the average time to be GDPR compliant by companies working towards it was seven months
According to Alexander West, a commercial director and "IT destruction expert" at the UK's WasteCare Group, the requirements of GDPR will catch out many organizations.
"I expect examples will be made of several high-profile organizations from the outset in order to set a precedent," West said, in a sponsored interview cited by Digital Journal. "There are many complex aspects of the regulation; making sure your asset disposal procedure is compliant does not need to be one of them."
Destroying A Hard Drive Is Critical
Not taking data destruction or asset disposal seriously is a recipe for disaster. As we noted before, data is the engine behind the digital transformation that companies are undergoing. Which means that the technology that holds that data needs to be treated properly when the time comes for that machine to be replaced.
A common way to ensure that hardware is decommissioned properly is through the process of degaussing. Destroying a hard drive, for example, can be done by drilling a hole through a disk, shredding it or even hitting it (repeatedly) with a hammer, but these techniques don't actually erase the data. Instead, they leave an enticing trail of breadcrumbs for people that can retrieve data when they (almost inevitably) end up in a landfill or are "recycled" by specialist third-party data disposal experts.
A hard drive degausser, on the other hand, uses magnetic force to erase the data held on that drive. This process ensures that not only is the data unrecoverable by third parties but the hard drive itself will not boot up. In addition, companies that need to follow certain security standards can be confident that the process of degaussing will be compliant with data protection rules set by, say, the NSA or other non-U.S governmental agencies. As a leading manufacturer of hard drive degaussers, Proton Data Security has NSA-listed models that can help companies with data sanitization, without the need to outsource the process.
As an added precaution, we recommend that degaussing is followed by actual hard drive or disk destruction. This can be achieved by introducing a hard drive destroyer or shredder into the mix. Not only do these machines provide an extra layer of data security, they are powerful enough to reduce a hard drive to tiny pieces of electronic waste that can be disposed of at a later date.
For more information about how Proton Data Security can assist with your data protection and disposal needs, contact us today.