GDPR compliance means more than data cleansing. What about erasing the personal data you are no longer legally allowed to hold? The critical differences between data cleansing and data erasure. By Iain Lovatt. Physical destruction. Quite literally, destroying hard drives or other storage media devices, by placing them in mechanical.
Secure data destruction and disposal continues to be one of the biggest risks to businesses today.
The impending date for the introduction of in May has brought data destruction and erasure strategies to the forefront of corporate strategic thinking. Thanks to potentially punitive fines for non-compliance and responsibility now sitting with the senior leadership team, data storage is now firmly at the top of the agenda in many organisations.Knowing about the issue and taking pragmatic steps to address it are clearly two different things. The problem is that organisations don’t always know where their data resides, so responding to subject access requests (SARs) for personal information is set to be a complex, time-consuming and expensive process., organisations must be able to prove that they can erase data properly and permanently.Once an initial data audit is undertaken, (most organisations should be well on the way to completing this process anyway in preparation for the GDPR) the next stage is to get rid of personal data that is no longer relevant, no longer in use for a specific purpose or relates to children under 16. How to erase data properlyHowever, just deleting data or reformatting magnetic media (including hard disk drives and tapes) will not be enough to ensure that the wrong personal data does not reside somewhere in the business. If data gets deleted from any media type it can be recovered in many cases, even when the hardware is damaged by flood or fire.Luckily, there are many software solutions available that completely wipe devices so they can be securely reused, resold or recycled.
There are also solutions that. There are of course more permanent erasure solutions such as degaussing which can take magnetic tape storage and render the device completely unreadable (and unusable).Virtual drives should also be considered as part of any data sanitisation process. In particular use virtualised infrastructure to partition storage space across multiple customers in order to achieve economies of scale. Many providers are then faced with the issue of infrastructure whilst leaving the rest intact, for example, if a customer ends their managed service agreement. The risks of physical drivesAnother big source of risk is physical drives, which tend to be recycled and reused by organisations seeking to contain the cost of storage. Without using the right data erasure tools and software, organisations cannot be sure that sensitive data has been removed before it is redeployed or sent back to the original equipment manufacturer.In a study of 64 disk drives bought online from locations including the US, Germany, France, Italy, the Asia-Pacific region, Poland and the UK, Kroll Ontrack found that 30 drives still contained traces of personal data.One of the drives raised particular alarm.
It had belonged to a company that used a service provider to erase and resell old drives. Despite that, the drive contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit card details. It contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, vacation dates and a 1MB offline address book.Nearly a third (21 drives) contained personal photos, private documents, emails, videos, audio or music.
User account information was discovered on eight drives, including login data such as first and last names, contact details, email address, online account names and passwords.Transactional data was recovered from nearly every seventh drive (9). This included company names, salary statements, credit card numbers, bank account info, investment details and tax returns.The problem extends into the business world, as users access work from their own mobile devices.
Six drives in our study were found to contain critical business data such as CAD files, PDFs, JPGs and passwords.We even found full online store set ups, configuration files and POS training videos in our search of these six drives. A further five contained other work-related data: invoices and purchase orders, much of it including sensitive personal information.