It’s been almost half a year since the General Data Protection Regulation has been in full effect, and by now, there should be most if not all organizations that are in compliance with the new regulations in order to responsibly handle their clients and customers’ data.
In order to be compliant with the GDPR, there are many different practices that need to be upheld, and involves areas from data collection to sharing and data destruction. In saying this, it is extremely important that as a company you are taking these regulations serious, as they have quit a steep repercussion. It is paramount that the data you gather is legal and consensual, and when gathering data in this manner, you store it securely and honor all requests involving the data to satisfy the data owner that the customer information is about.
Since this form of control is new to customers, that means the requests that come in from many clients or customers in regards to their information will involve the destruction of their data, and the companies must be compliant in this process by offering the option to wipe or delete any information in full. This ability is the “right to be forgotten”, also known as the right to erasure. At a moments notice you need to be able to delete a clients stores data and halt any gathering from the same client, and if you don’t comply, the fines could be from anywhere up to 4% of your businesses income.
The GDPR outlines data destruction as a form of data processing and designates it as the following- “elimination, erasure or clearing of digital content”. This means that any form of data destruction should follow the rules to the “T” which are set forth by the regulations.
Three main steps will ensure your compliant with the data destruction process:
1. implementation of the necessary controls that will allow data owners to the full rights of and permission over their data and content. Companies that house data by consensual and legal means must provide the users with an option to delete any and all personal data which must include but are not limited to- sales or browsing history. The process must be practical in a way that all users will know their options to such actions and the action must persist in a manner that stems the flow of new content and eliminates the old as soon as possible.
2. All businesses are also required to ensure any form of old data or content is securely erased. Simply deleting it via the operating system or server is not enough to satisfy the GDPR regulations. Along those lines, reformatting old drives and magnetic media isn’t enough either, as the ability to recover data with the physical hard drives or audio tapes is possible.
3. The hardware involved in the customer or clients data disposal process must also properly be disposed of, not just the digital forms of the content. An action that would satisfy such erasure methods would be something like degaussing, which is a process by which the hard drive is subject to a high energy magnetic field that scatters all the data into bits and slews them into a random and unreadable order, making the data inaccessible. Physical media may also be shredded, crushed, or incinerated to ensure full GDPR compliance.
While we often think about the physical traces of data, we often forget about the digital storage locations like the cloud and virtual storage that can also house customer and client data that would also need to be deleted properly when inclined to.
Most third-party service providers offer an implemented option for partition and wipe storage. While the option is usually there, some providers tend to leave residual data after a wipe, which can get left behind, so check with your provider to ensure there is no trace left afterward of any data that was supposed to go poof.
The new GDPR isn’t something that can be opted in or out of, it is required at all times and must be held up to in the highest degree of action. Every business will follow the regulations or risk the financial backlash that will be large enough to be termed “a major setback”. Data destruction is a large part of ensuring your compliant with these regulations and as such should be looked into thoroughly. Users should have complete control over their data now and should be able to find these controls with ease so that all their data, virtual or otherwise is dealt with in a timely manner and brought to the proper conclusion.
Honoring the customer and clients should be the highest priority if it wasn’t before, if not for their sake, yours.
Are you GDPR compliant? Give us a call at Re2 Tech today and let us tell you!