GDPR increases importance of documentation when it comes to data destruction

The GDPR is putting an added emphasis on data destruction documentation.

 

The new EU General Data Protection Regulation is shaking up the global IT world. The regulatory system attempts to protect the privacy of European Union residents by enforcing a common set of data security standards that will be enforced across all organizations handling personal data related to such individuals. As such, your business doesn’t have to be in the EU or even offer a dedicated service to European customers. If a person from the EU has used a service or purchased a product, then the GDPR could apply to your data security practices, giving you a responsibility to comply.

When it comes to hard disk destruction and similar data sanitization practices, the GDPR provides clear guidance, but it also puts more pressure on organizations to maintain a chain of custody and properly document their practices.

What the GDPR says about data sanitization
The new EU regulation includes a variety of regulations that could impact data destruction, and the need to create an audit trail is clear. Article 1, Section 17 protect a person’s right to be forgotten, meaning that individuals have the right to ask those controlling their data to erase it. Article 13 introduces similar issues of transparency by dictating that data controllers provide data subjects with key details relating to the information being collected. An International Data Sanitization Consortium report analyzing these regulations pointed out that these articles effectively mandate that organizations provide adequate proof of proper data erasure and can track the location of data from the time when it is available to be erased through when it is destroyed.

“GDPR compliance relies on transparency into every data-related process in a business.”

A separate blog post from the IDSC pointed out that the GDPR also creates complexity due to the number of systems that could inadvertently collect personally identifiable data, such as cars. A car rental company could end up in a situation where users accidentally leave personal data saved on vehicle systems without the organization knowing. Similar problems can arise when it comes to just about any connected device, from smart televisions to health care solutions. In any of these cases, businesses need to update their processes to gain full visibility into all of the data residing on storage systems and the processes used to destroy information on said devices.

Responding to the GDPR requirements
The nuances of GDPR are going to be difficult to deal with because compliance relies on transparency into every data-related process in a business. However, the way GDPR standards impact such processes as hard disk destruction are fairly straightforward. Once companies know what device they need to destroy and have logged whose information is on said storage media, they need only maintain and document a chain of custody throughout destruction. With a hard disk degausser or solid state drive shredder on site, this is as easy as having two technicians vouching for one another while destroying devices. Outsourcing data destruction creates an added degree of complexity that can be avoided, and Proton Data offers the powerful degaussing and shredding solutions organizations need to bring data sanitization in house and avoid unnecessary complications.

Proton Data Security: