In my last blog I reviewed what kinds of parties are held liable to the European Union’s General Data Protection Regulations (GDPR). Today I’ll cover some ways that these parties can protect the data they are responsible for, and ultimately, their own brand.
What Does Secure Mean?
The GDPR states that whether security measures are appropriate in each instance will depend on “the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” This clause provides flexibility to allow for changes in technology and data policies.
So, in the absence of clear guidance in the GDPR, I recommend using government security agencies for guidance on what “secure destruction” of data requires. The following are options for the secure destruction of data.
Software overwriting of every byte of data held on computer data media can be achieved – or failure notices can be produced when a technical fault prevents sanitisation of the whole drive.
National security services have standards against which sanitising software can be tested and approved:
- USA NIST 800-88-.r1 Guidelines for Media Sanitization
- UK CESG IAS 5 (a confidential document I am not permitted to circulate)
- DIN 66399 German data destruction guidelines
This involves the degaussing of data held on magnetic media by using a powerful electromagnetic current. The method is used for tape media, floppy discs and magnetic hard disk drives (HDDs) but not for solid-state devices (SSDs), which use nonmagnetic technology. See the US National Security Agency-approved equipment list.
- Drilling/Punching/Folding – For HDDs, data may be recoverable using specialist tools, so this should be regarded as an interim, disabling measure pending further destruction.
- Shredding – The term means to fragmentise devices to prevent access to data and facilitate materials separation and recycling. However, fragment sizes are of concern, as data may be recoverable using electron microscopes on larger pieces. Hence, standards set fragment sizes:
- EN15713 European Information Destruction Standard for data-bearing media, including HDDs, etc.
- Centre for the Protection of the National Infrastructure CPNI – A UK government agency recommends shredding to a maximum fragment size of 20mm in any one direction for data-bearing media containing commercially sensitive material and to 6mm for security of protectively marked or classified material.
- Incineration – Incineration to ash is the simple definition used, and it renders data completely unrecoverable.
Certificates of Destruction
These should be provided for each individual data-bearing device, individually tracking devices by serial number, sometimes with multiple HDDs classed as “children” from a “parent” server. This record is useful to allow any organisation to demonstrate due diligence in data destruction.
This is recommended to track all waste materials transferred for secure recycling to third-party recyclers and wherever they may transfer material – data media sent for shredding and smelting, scrap metal casings, copper cables, precious metals in circuit boards, etc.
I recommend using a third-party ITAD provider to help you meet and navigate these requirements. The options for securing data to satisfy the requirements of the GDPR meet a number of needs and should be explained and offered by any reputable IT asset disposition provider. Which options do you prefer? Drop me a line to let me know.
Gary Griffiths manages global partner compliance for Arrow Electronics, ensuring that Arrow and its global partners comply with local and international laws, regulations, and best practices. A Chartered Environmentalist and a Chartered Waste Manager with more than two decades’ experience, Gary has expertise in data security and compliance.