Menu
Home IT Disposal Data Destruction IT Asset Management IT Scrap & Cans About Us Working with us Licences News Contact Us
« Back

Is your company data safe?

December 16 2015

Here’s how to make sure

We are collecting data at ever-increasing rates as the costs of data storage go down. Why get rid of our beloved data when we can always buy more storage space? Some companies like Google love collecting and working with data, and these companies will rarely if ever get rid of their data. But odds are your company is not like Google and does not need all of that old data.

Unfortunately, over time, often a company's storage of data starts to resemble the crazy old hermit's house with newspapers dating back fifty years stacked floor to ceiling. But instead of newspapers, your company is drowning in old digital data. While you may have a method to your madness and know where everything is, you probably do not need all of your old outdated data. To fix this mess, your company needs to figure out what data it has and create effective policies for disposing of it.

We are going to focus on digital data. All those ones and zeros that are littering your storage media. This document will address the important questions of who, what, where, when, why, and how you should destroy your data. For those of you who hate to throw anything away, please bear with me. This will not hurt a bit.

Your process should guide your company deliberately and irreversibly removing and destroying old data stored on your systems. This destruction is intended to be permanent.

Consistency Is Key

Having a consistent data destruction policy followed by everyone within your company at all times is vital, especially when you are faced with the ever increasing potency of government legislation as well as the potential irreparable and costly damage caused by a data breach.

A data destruction policy is the key part of any data retention policy. Completing and implementing your data retention policy will help you determine where you store your data, which makes it somewhat easier to delete old data you no longer need. Once you have mapped out of where you store your stuff and developed a policy on how long you need to keep it, you must formalise the destruction process.

Naturally, your data destruction policy must handle media leaving the control of your company differently than media simply being reused internally. However, even then, different procedures may apply for media used by different departments. The general rule for the disposal of any data, even when media is reused internally, is that simple deletion and overwriting of data is not enough.

When reusing media, you must create processes whereby your company wipes the old data, validates the data is gone and media can be reused, and then documents the completion of the process. Only upon completion of these steps should you release the storage media for reuse.

Things get more complex with media that leaves the control of your company. Whether you are destroying your old media or reselling it to another party, your data destruction policy must require additional processes. Your policy has to cover the purging and destruction of data and sometimes the physical destruction of media.

But how much destruction is enough?

In developing and implementing your data destruction policy, you face the challenge of coming up with a level of destruction that is appropriate for your company's unique needs. Simple deletion and overwriting of data on media your company is retaining and reusing may be appropriate in some instances. In other situations, you may require the total physical destruction of your media that may include degaussing, shredding, or melting your media.

Whether your company is obligated to take certain steps in destroying your data really depends on the laws, Acts, or regulations that regulate your organisation such as the Data protection Act 1998. These Regulations may say you need to keep your data for a certain period time dependant on the sector you operate in. Check with your Solicitor who can provide guidance on what laws, Acts, and regulations apply to your company's situation.

After your review of the applicable laws, rules, and regulations, you need to add steps to your data destruction policy. Your data destruction policy needs to address how to classify and handle each type of data residing on your media. Your policy needs a process for the review and categorization of the types of data your company has and what kinds can be removed. Classifications and contents of your data will also play a role. Data and media containing confidential information, trade secrets, and the private information of your customers requires the strictest controls and destruction methods. Data and media containing little to no risk to your company may have relaxed levels of control and destruction.

Educate, Verify and Follow Up

Do not forget to look at your contracts with other companies to ensure you are handling data destruction within the terms of those contacts. For example, non-disclosure agreements sometimes contain data destruction terms and you must comply with those terms.

Educate your people and verify they are complying with your policy. This is particularly important with media that you are not destroying, but instead are reselling or recycling. You should take samplings as appropriate to ensure you maintain the proper levels of destruction. If you are doing the data destruction in-house, you need to verify your data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.

Document the entire data destruction policy so you will know what media is sanitized and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions.

The last step of an effective data destruction policy is to have a process in place so you can follow up with regularly scheduled testing of your process and media to ensure the effectiveness of your policy. I.E

Finally,

There is help out there don’t worry!!

Organisations in the UK like Ucan Recycling specialise in assisting organisations just like yours putting robust and effective policies in place as well as taking control of the process and legal responsibilities of collecting and destroying your data for you, allowing you to focus your time and energy on other critical aspects of your business while having the peace of mind that all your organisations data has been handled in accordance with relevant regulations and standards.