Faced with the dual challenge of managing dig data alongside a multitude of regulatory pressures, companies are struggling to know which records to destroy, when and how. Martin Allen-Smith wades through the filing system

Organisations are caught up in something of a perfect storm when it comes to data. At a time when it is becoming easier and cheaper than ever to store huge quantities of data within a business, the regulatory environment has changed so that it becomes increasingly risky to actually do so without ensuring stringent controls and processes are firmly in place.

Since the implementation of GDPR rules on 25th May last year, minds have been focused on the issue of data at a level previously unseen. High profile cases – most notably the Information Commissioner’s Office’s imposition of a record £183 million fine to British Airways for the 2018 breach of its systems that saw information on around 500,000 customers compromised – has underlined the potential dangers of data falling into the wrong hands.

While attention has been focused firmly on the careful handling of personal data and how it is used, the timely, effective and secure disposal of data may not be at the top of the agenda. But perhaps it should be somewhat higher up the list of priorities given how fast the amount of data being stored is growing.

According to figures from research organisation Gartner, data volume is expected to grow by 800 per cent during the five years from 2018, with 80 per cent of this comprised of unstructured data. Even smaller businesses are routinely collecting and storing large quantities of data, much of it on local PCs and servers, mobile devices and, increasingly, in the cloud.

Where to start?

There is an inertia when it comes to efforts to keep this growing data burden under control, with two major factors at play here in contributing to this. Firstly, the falling cost of mass storage has led many businesses to simply decide to keep huge quantities of information instead of operating a secure disposal strategy. Alongside this, is the underlying concern of how best to dispose of data in a way that is secure and does not fall foul of the burgeoning requirements brought in under GDPR.

Although technology now makes it possible to store huge amounts of data, that does not necessarily mean it is sensible to do so. All hardware has a finite lifespan, so what happens to the data stored on old or faulty equipment? Research by IT provider Probrand reveals that 70 per cent of businesses in the trade sector do not have an official process or protocol for disposal of obsolete IT equipment, and two-thirds of employees within those organisations would not know who to approach within the business to correctly dispose of old or broken equipment.

Among the industries most guilty of failing to clear the memory of IT equipment before disposal in the months following the implementation of GDPR last year were transportation (72 per cent), sales and marketing (62 per cent), manufacturing (59 per cent), utilities (58 per cent) and retail (57 per cent). Storing data simply because it appears to be an easier option than proper disposal is a potentially dangerous – and costly – approach to take.

“Global organisations are unnecessarily wasting vast sums of money from non-compliance and onsite storage fees – charges that could be easily mitigated,” says Fredrik Forslund, vice-president of enterprise and cloud erasure solutions at Blancco. “This points to a huge lack of education within the sector about what to do with hardware that is faulty or has reached end-of-life. Organisations are letting this hardware pile up in fear of data leakage, resulting in loss of efficiency, increasing capital costs, possible noncompliance and potential security risks.”

He adds that the global datacentre industry remains gripped by a lack of time and resources to complete comprehensive data privacy processes and that this remains one of the key reasons why organisations – particularly those that own their own datacentres and store all data onsite – are keeping IT assets long past their useful lives.

All 600 organisations surveyed for research by Blancco earlier this year said that they stored a large portion of their data onsite, with 48 per cent storing 31–60 per cent of their data in this way, and 10 per cent storing almost two-thirds.

Many individuals failed a simple data sanitisation test, despite their job titles suggesting that they should know more. Over half of the respondents (57 per cent) wrongly believed that a quick or full reformat of a drive would permanently erase all data. Many organisations also stated they are using multiple methods to sanitise their data, and 62 per cent of those surveyed are using free online tools with no verification or certification to erase data securely.

Gone for good?

Data destruction involves much more than hitting the ‘delete’ key or moving data to a trash folder and emptying it. Doing either leaves an electronic trail that can still allow the unauthorised retrieval of sensitive information. Organisations need to follow best practices in their data destruction and disposition to protect themselves and their customers.

Iron Mountain recommends the implementation of several processes for ensuring proper disposal. Among the core advice is to create a metadata standard for determining whether to retain or destroy certain records. Destroying records you need and keeping those you do not can increase expenses, from both fees for destruction and inefficiencies from maintaining unnecessary records.

Businesses also need to put in place a clear and consistent records retention schedule. Some data needs to be stored for a short period, while other information has to be kept for much longer. Since the GDPR rules state that information should not be kept for longer than required, the onus is on an organisation to follow best practice for the type of data concerned or, where no existing guidelines exist, keep a written reference of the reasoning behind the storage periods so that this can be understood and reviewed later.

Critically, the destruction process itself needs to be documented and fully tested in order to ensure that it performs as expected. This also needs to cover any potential weak points in the process, particularly any third-party organisation that may use or have access to any of the organisation’s data.

“Not disposing of data correctly may sound like a minor problem, but it can have quite profound consequences,” says Luke Peach, compliance consultant at Bulletproof Cyber, adding that businesses commonly make the mistake of not wiping and disposing of old hard drives properly. “The problem is more widespread than many might think, as hard drives bought on eBay are often found to be stuffed with personal data.”

He points out that losing data in any way counts as a data breach. “This is because you can’t account for its whereabouts, so cannot say who has access to it or what someone may do with it. There are so many ways this can happen. Just look at the Heathrow Airport incident last year; someone just happened to lose a USB drive and suddenly there’s a data breach that cost the airport a £120,000 fine. If data or email information is stored on an employee’s work phone and that phone is lost or stolen, then that is a potential data breach.”

Peach says that having a data disposal policy and procedure – and making sure that it is being followed – is vital, and that in order to ensure this is carried out effectively, rules should be put in place for a ‘data perimeter’: “This means setting a limit past which data should never leave. This should be both physical and digital, and allows you to keep track of personal data at all times. Never email data to external contacts, never take financial or HR documents outside of their respective departments or folders, put controls in place and train your staff, and limit or outright ban the use of USB sticks.”

This article was published in the November-December 2019 issue of CIR Magazine.

Download as PDF

More interviews and analysis

Contact the editor

Follow us on Twitter

    Share Story:


Deborah Ritchie speaks to Chief Inspector Tracy Mortimer of the Specialist Operations Planning Unit in Greater Manchester Police's Civil Contingencies and Resilience Unit; Inspector Darren Spurgeon, AtHoc lead at Greater Manchester Police; and Chris Ullah, Solutions Expert at BlackBerry AtHoc, and himself a former Police Superintendent. For more information click here

Modelling and measuring transition and physical risks
CIR's editor, Deborah Ritchie speaks with Giorgio Baldasarri, global head of the Analytical Innovation & Development Group at S&P Global Market Intelligence; and James McMahon, CEO of The Climate Service, a S&P Global company. April 2023