As GDPR approaches, businesses everywhere are focusing their efforts on bolstering their data protection policies and processes in order to meet compliance with this new legislation. Removing any data that could cause problems in the future, or that simply adds to the difficulty of staying compliant, is a good place to start, but as with almost everything, there is a right way and a wrong way to go about this. Here’s a brief overview of deletion, erasure, and the important difference you need to know.
A good first step towards compliance is to run an audit and data mapping of all the data a business holds in order to identify what is needed for normal business processes (and where it is), and then to see whether that aligns with the legislation. A balancing test should clarify the type of data the business can legitimately keep, and what should be removed. The business can then start removing the data that doesn’t align with GDPR, and the data that is simply not needed. This ‘minimisation’ makes sense, because, the less data you have, the less you have to protect.
It would also seem to cover many aspects of ‘the right to be forgotten’ clause. Under articles 16-21, this right to erasure requires businesses to be able to identify, access and securely remove all data relating to a person who withdraws consent or objects to the processing of their personal data when there is no longer (or never was) a legitimate reason for the business to have that data. Again, if you don’t have the data anymore, you are not obliged to protect, share or process it.
Data Deletion and Erasure
However, removing data is not as straightforward as it seems. Every single piece of information relating to a person (or persons) - on every file, register, database, mailing list, and any back-up server – must be removed forever, and must not be recoverable.
As this also includes any and all external partners and third-parties the data has been shared with, smart companies protect their data through encryption or pseudonymisation in order to render the information useless should it be lost, leaked or stolen due to a data breach. But they still need to deal with the issue at source. Simply hitting ‘delete’ won’t cut it, because it won’t remove the data from every location where it could be found.
Most businesses opt for one of two solutions for data erasure:
- Deleting the file and emptying the recycle bin
- Deleting and reformatting the drive of the computer the file is held on
Neither of these approaches is adequate when it comes to GDPR, and the problem lies in the confusion over what constitutes ‘deletion’ and ‘erasure’.
Simply put, Windows and other operating systems don’t erase a file completely when it is deleted. It is still in the hard drive somewhere, and those malware and ransomware attackers know how to access and recover files we may think are gone for good.
In order to completely and irrevocably erase a file, you must delete it, and then use specialised software tools that either wipe all hard drive free space (where the remnants of the file will be), or ‘shred’ the file, overwriting all of the file’s data so that it is impossible to recover.
Of course, this approach will take longer than a simple deletion process, so if you have been tasked with this job, it is best to prioritise confidential or sensitive files and data.
Secure Removal of Data in an IT Overhaul
When it comes to machine management and upgrading to new devices, businesses also face the challenge of replacing or recycling their IT infrastructure securely so that any data they want to remove is not left on any machines or devices they want to get rid of. This may be prompted by GDPR, or by the simple wish to upgrade, but whatever the reason, the erasure of sensitive data is still a prerequisite.
As with individual files or pieces of data, simply deleting the contents of a machine, device, hard disk or server won’t be enough to ensure that data doesn’t fall into the wrong hands once it has left the organisation.
There are software solutions available to handle the complete erasure of all data from a device, so that it can be reused, recycled or sold on, as well as solutions that can identify and remove specific files, and your IT support team or IT consulting service should be able to recommend the best ones for your company.
If your business just wants rid of certain machines, the process of degaussing can render them completely unusable, unreadable, and ready for the scrapheap. While this may be an extra cost, it is always better to be safe than sorry when it comes to getting rid of old machines that have at one time held the type of sensitive data GDPR demands businesses to protect or securely destroy.
The Benefits of Proper Data Erasure
GDPR is causing big headaches for businesses, but there is an up-side, because it also offers the chance for organisations to re-evaluate their data protection and cyber security best practices, and the ways in which they can optimise their data storage – both of which are key to remaining competitive.
Properly and completely erasing data that the organisation no longer needs doesn’t just mean you are more likely to be compliant with GDPR, it can also have very tangible benefits.
The most obvious benefit is that because data storage is expensive, having the ability to securely erase it enables an organisation to recycle and re-use its IT infrastructure, saving on costs and providing a bigger share of the IT budget for innovation and future-proofing the business.
The process of planning out secure data erasure can take time that your in-house IT team does not have, so it is worth consulting with an outsourced IT support team with expertise in cyber security and GDPR compliance. They can provide a clear strategy for the safe removal of all data the business no longer needs, or that is not in line with GDPR requirements, ensuring that you can stop worrying about compliance, and start to focus on running your business again.
Find out how Optimity can help with secure data erasure and all other aspects of GDPR compliance by getting in touch with us, or by booking an audit, and get started by downloading our GDPR-readiness checklist: