Never before in the history of the world or business has this much data existed. Today’s data includes everything from basic and general information on customers to much more sensitive, personally identifiable data. This data helps businesses do their work more efficiently, but it also creates the risk that sensitive data may leak to third parties that might want to use this information for malicious purposes. In response to this threat, governments worldwide have begun tightening the rules and regulations that govern the use of data. The most prominent of these regulations is the General Data Protection Regulation (GDPR) that was introduced by the EU to protect the data of its citizens. In turn, this has created the need for businesses to invest in better practices when it comes to working with and destroying customer data.
Why is destruction of customer data important?
One of the provisions of the GDPR, and most other similar legislative devices, is that the person or entity who uses a customer’s data remains responsible for the safety and security of that data even if it is no longer being actively used. Under these provisions, every company needs to make sure that inactive data has been completely and irrecoverably destroyed since failing to do so can lead to significant financial and reputational damage. However, despite the clear advantages of having a robust data destruction policy in place, many organizations are falling short in this area. An integral part of doing responsible business in the digital age is the implementation of a well-designed data destruction policy.
What does a data destruction policy entail?
In general, data destruction refers to the total destruction of data, and this can be achieved through different destruction methods. One of the main factors that determine the appropriate process to destroy data is the sensitivity of the data. Since some methods are less secure than others, highly sensitive data should only be disposed of by physically destroying the storage medium. Some of the data destruction methods that can be incorporated into data destruction policies include:
Physical Data Destruction
This method of data destruction is considered the most secure and is the best way to destroy data that is highly sensitive or perhaps even classified. Often referred to as IT asset disposition, with this method the data in question is not just erased from storage mediums. Instead, the storage medium is physically destroyed rendering the data 100% irrecoverable. The one downside to this method is that it makes it impossible to re-use storage mediums for new data, making it expensive to use.
Secure Data Deletion
This method is suitable for most data types and since the storage media is never completely destroyed, the media can be repurposed for other uses. It is important to note that this procedure must be carried out by professional data destruction agencies which use specialized software to overwrite the existing data with meaningless binary code. While this procedure is also considered highly secure and effective, it is not as secure as the physical destruction of media storage devices.
Incorporate backup devices into your data destruction policy
While we are all aware of the importance of creating backup copies of critical data, we often overlook those backups when destroying data that is no longer needed. A good data destruction policy should also include the destruction of backup copies of all files. By allowing backup copies to remain in circulation when they are no longer needed, a security risk is created.
Add traceability for extra peace of mind
We might think that a data destruction policy should only deal with the actual destruction of data, but this is not the case. In fact, a data destruction policy should also include measures to protect data while it is being actively used. A critical component of this is the ability to always locate storage media and data during the entire data lifecycle. One way to do this is to keep track of the location of storage media via their serial numbers, this ensures that all drives are accounted for and minimizes security risks associated with physical theft of storage media.
Choose service providers wisely
Every data destruction policy that is worthwhile should include reputable and highly professional data destruction specialists. By using external service providers with solid reputations, you can ensure that your data is destroyed in accordance with international best practices, and you can expect to receive confirmation of this in the form of a post-destruction certificate. Having such a certificate proves that a company has discharged its responsibilities under the GDPR and similar regulations completely.
What this means for fraud examiners
Although data destruction is something that companies often neglect to spend enough resources on, it is an increasingly important part of every business. For fraud examiners especially, this can be a matter of ethics, since any type of data leakage can lead to identity theft, fraud or IP theft. By investing in the creation and implementation of a rock-solid data destruction policy, any company can protect its reputation and the confidential data of its customers while avoiding the financially crippling results of noncompliance with data protection regulations.
This article was written by Milica Vojnic of Wisetek. Milica regularly advises businesses on the importance of hard drive degaussing and ITAD services policy for keeping their company secure and compliant.
SOURCE: ACFE Insights – A Publication of the Association of Certified Fraud Examiners