It’s easy to overlook electronic media and end up holding personal data for longer than you should. To make sure you don’t fall foul of legislation, you need an electronic data disposal strategy.
In order to comply with data protection law, you need to have a strategy in place for reliably and securely disposing of all confidential data once you no longer need it. Your strategy should cover areas such as:
- What types of data you hold electronically
- Where and how you hold data (computers, file servers, cloud services, backup tapes etc)
- How long data should be retained
- How you’ll dispose of electronic data when the time comes
- How you’ll record data disposal.
The law on data protection will change in 2018 with the introduction of the GDPR, so even if you already have a strategy, you may need to revise it to meet the new requirements.
In the eyes of the law, confidential data stored electronically is exactly the same as information stored on paper. Once you no longer have a reason to retain it, it needs to be erased and disposed of in line with the regulations.
It’s relatively easy to keep track of paper documentation you hold, and make sure it’s securely shredded when you no longer need it. But electronic media can be harder to control. Data can easily be copied to multiple locations in the course of being used or shared within your organisation, which can mean you end up hanging on to data even without realising it.
If you have an old file server, it could still hold historical data. Perhaps you still have some old laptops or external hard drives you haven’t used for a while. Or maybe your team have got old USB sticks and flash drives rattling around in their desks with company data on them. You might also have some old backup tapes, or some DVDs or CD-ROMs onto which important files have been burnt. All these can be repositories for confidential data, and they need to be erased or destroyed.
Backup tapes and some hard drives use magnetic storage media. For this type of technology, simply deleting the files is not sufficient, as the data can still be retrieved by determined fraudsters. To make sure the data cannot be read again, you need to use either scrambling software or degaussing, which uses magnetic fields to permanently erase the media. You can read more about degaussing on our Degaussing and Data Destruction page.
Degaussing can’t be used for more modern flash-based solid-state hard drives and memory sticks, or for DVDs. The only certain method to make data on these types of media irretrievable is physical destruction.
If you’re certain you won’t want to use the equipment again, physical destruction will give you reassurance that you’ve completely destroyed the data on it. However it’s important to choose a reputable and accredited hard drive and digital media destruction company to keep your data secure until destruction. Once the process is complete, they should provide you with a certificate of destruction.
To talk through your own data destruction requirements, please call one of our shredding specialists.