Building a strong data disposal policy in the age of GDPR
The Right to Erasure, or the Right to be Forgotten. No, these are not Hollywood feature films. They are key factors in Article 17 of GDPR that stipulate the individual has the right to ask to have their data completely expunged from a corporate system. This includes customer data on any kind of storage media, whether that’s in your marketing database, your customer database, or on your mobile devices. These requirements play an important role in how leaders need to design their data disposal, data destruction or data sanitization policies; all words being used interchangeably. It’s not insurmountable if you take it in logical steps.
While GDPR applies to European citizens, wherever they may be, everyone should be looking at GDPR in general, to understand how it impacts their company and what compliance measures they need to implement. If you have any type of business with European citizens, then you need to be aware of the impacts of GDPR. Even without GDPR exposure, U.S. companies should be aware that thirty-two states have some form of data disposal laws and thirty-one address digital data explicitly, so there are compliance requirements that need to be re-visited periodically in any case.
Russ Ernst, VP Product Development, Blancco Technology Group, a data disposal solution company, says, “A general way is to have an effective understanding of the data life-cycle in your own organization. Think about where the data comes in, how the data is being used, and then how the data needs to go to end of life.”
Where’s your data coming from?
The first step to take in building a strong data disposal policy after determining whether you have GDPR exposure is understanding where the different personal data collection points are within your organization.
Identify how data is collected, where it’s coming from and how it’s stored. Realize that it's not just about data on an individual that you may be collecting directly. Sometimes enterprises may also be collecting data on individuals through third-party data services like marketing databases. For example, you buy a database to target that includes an individual’s email address. That's not collecting data directly from an individual or a customer; you're collecting that data from a third-party source.
How’s it used and where’s it stored?
Understanding how it’s used and where it’s stored adds a critical piece of the puzzle to the intelligence process. Is it stored locally on machines? On virtual desktop interfaces? Are you just storing the data in a flash? Is it in true memory, on desktops, in on-premise servers? Other possible locations include data centers and on third-party data storage sources.
According to Ernst, “ Once you start to look at how the data is being used, it then becomes about classifying the data and generating effective policies for certain types of data. Maybe you only collect certain types of data, so you're not contributing data to the swamp. You actually have some clean practices for how you're ingesting the data, how it’s being used, understanding the business intelligence dashboard. This is all important.”
There are different ways of storing and securing data depending on the type of classification that you’ve put on it. Sensitive or confidential data must be stored securely, whereas the means used to store transient data that can be consumed by any public source, isn’t as important.
Any organization’s data policy needs to fold archival and sanitization policies that it can enforce into it. Once the data is moved out to a data lake somewhere or is put into an archival format somewhere on a tape drive, you now have data that's being stored in different types of locations. Ernst emphasizes, “The enterprise must understand the type of data that's there, what's important, how long it's going to be retained according to retention policies, and then have the ability to enact the destruction or sanitization of that unimportant data. There’s a large percentage of ‘ROT data,’ an acronym for Redundant, Obsolete, or Trivial. I've heard statistics that 85% of an enterprise's data falls into this category.” Getting rid of the ROT saves IT significant amounts of storage space and money.
End of life last rites
When the time comes to destroy the data, it’s typically a three-step process. Perform the erasure, verify that the erasure's been done, and then provide a certified, auditable report that it's been done.
Destruction isn’t as simple as just putting a magnet over a drive and thinking that the data's gone. That doesn’t work with SSD drives and more modern types of storage media. Data erasure is incumbent on the type of media that’s being used and requires different algorithms. Ernst explains, “The first two steps are software-based mechanisms to perform an erasure algorithm on that identified data, then a software-based verification is performed that ensures the erasure algorithm was effective in eliminating the data. The last step provides the detailed report that yes, that data was effectively eliminated, at such and such time, using this specific algorithm.”
Building a strong data disposal policy can be almost painless if you know where your data is coming from. How it’s used. Where it’s stored. And can prove you’ve permanently destroyed it when the time comes. Once in place, it’ll inspire trust with customers and demonstrate business integrity.