We are collecting data at ever-increasing rates as the costs of data storage go down. Why get rid of our beloved data when we can always buy more storage space? Some companies like Google love collecting and working with data, and these companies will rarely or never get rid of their data. But odds are your company is not like Google and does not need all that old data. This article focuses on crafting an effective data destruction policy.
Unfortunately, over time, often a company's storage of data starts to resemble the crazy old hermit's house with newspapers dating back fifty years stacked floor to ceiling. But instead of newspapers, your company is drowning in sensitive data. While you may have a method to your madness and know where everything is, you probably do not need all your old outdated data. To fix this mess, your company needs to figure out what data it has and create effective policies for disposing of it.
Your process should guide your company in deliberately and irreversibly removing and destroying old data stored on your systems. This destruction is intended to be permanent.
Consistency Is Key
Having a consistent data destruction policy followed by everyone within your company at all times is vital. A data destruction policy is the second part of your data retention policy. Completing and implementing your data retention policy will help you determine where you store your data, which makes it somewhat easier to delete old data you no longer need. Once you have mapped out of where you store your stuff and developed a policy on how long you need to keep it, you must formalise the destruction process.
Naturally, your data destruction policy must handle media leaving the control of your company differently than media simply being reused internally. However, even then, different procedures may apply for media used by different departments. The general rule for the disposal of any data, even when media is reused internally, is that simple deletion and overwriting of data is not enough.
When reusing media, you must create processes whereby your company wipes the old data, validates the data is gone and media can be reused, and then documents the completion of the process. Only upon completion of these steps should you release the storage media for reuse.
Things get more complex with media that leaves the control of your company. Whether you are destroying your old media or reselling it to another party, your data destruction policy must require additional processes. Your policy has to cover the purging and destruction of data and sometimes the physical destruction of media.
But how much destruction is enough?
Gone, Baby Gone
In developing and implementing your data destruction policy, you face the challenge of coming up with a level of destruction that is appropriate for your company's situation. Simple deletion and overwriting of data on media your company is retaining and reusing may be appropriate in some instances. In other situations, you may require the total physical destruction of your media that may include National Cyber Security Centre (NCSC)-Approved erasure, degaussing, shredding methods.
Under data protection laws, your company is obligated to take certain steps in destroying sensitive data and you need to add steps to your data destruction policy to ensure you have processes to address this. Your data destruction policy needs to address how to classify and handle each type of data residing on your media. Your policy needs a process for the review and categorisation of the types of data your company has and what kinds can be removed. Classifications and contents of your data will also play a role. Data and media containing confidential information, trade secrets, and the private information of your customers requires the strictest controls and destruction methods. Data and media containing little to no risk to your company may have relaxed levels of control and destruction.
Educate, Verify and Follow Up
Do not forget to look at your contracts with other companies to ensure you are handling data destruction within the terms of those contacts. For example, non-disclosure agreements sometimes contain data destruction terms and you must comply with those terms.
Educate your people and verify they are complying with your policy. This is particularly important with media that you are not destroying, but instead are reselling or recycling. You should take samplings as appropriate to ensure you maintain the proper levels of destruction. If you do not have an in-house data destruction in-solution, you need to find a professional certified data sanitisation service with data sanitation using NCSC-Approved tools. Advance Services have been providing on-site/off-site data sanitisation services for over 13 years
Document the entire data destruction policy so you will know what media is sanitised and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions.
Finally, the last step of an effective data destruction policy is to have a process in place so you can follow up with regularly scheduled testing of your process and media to ensure the effectiveness of your policy.