Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

How to destroy data the GDPR way

Written by  Ryan Moore - Guest Contributor May 07, 2019

Businesses now collect and store massive quantities of data. This information currently resides on local PCs and servers, mobile devices and more commonly these days, in the cloud.

However, given that storage trends are continually evolving, there has never been a more important time to have a secure and reliable way to not only locate what data you hold but to also destroy it when needed. This is not just a matter of business security - enough alone to justify a robust strategy - as the regulatory reform brought with GDPR means data subjects now have a right to have their data deleted from a company's systems upon formal request.

This is particularly important today as the falling cost of mass storage has led many businesses to simply keep vast quantities of their information instead of operating a disposal strategy. In fact, Gartner predicts that these data volumes will grow by as much as 800% by 2022.

Data Protection: A Practical Guide to UK and EU law
amazon uk

However, expanding storage capacity isn't a solution to effective data management. At some point, data will have to be erased and destroyed.

Enza Iannopollo, Forrester senior analyst of security and risk, explains to IT Security Centre UK that just because technology facilitates the storage of vast quantities of data, it doesn't mean it's ok to do so.

"We recommend all firms that engage in digital transformation or that are planning to leverage AI or machine learning, in particular, to clear to their teams and third parties when it's fair and lawful to hold on data and when it's not," says Iannopollo. "They should also provide viable mechanisms or guidance on how data must be deleted, and a way must exist to make sure that internal teams, as well as third parties, actually comply with these requirements."

Consumers can now take more control of their personal data, and this includes how and by whom this information is collected and stored. Having a clearly defined system of data erasure no matter where it resides, is now a critical component of every business.

The matter of encryption


According to research carried out by Probrand, 70% of businesses do not have an official process or protocol for disposing of obsolete IT equipment.

What's more, 66% of workers admit they wouldn't even know whom to approach in their company to correctly dispose of old or unusable equipment.

Mike Wonham, senior research director at Gartner, tells It Security Centre UK that the problem isn't just that sensitive data is being left on discarded hardware, but that there is often little to no encryption on those devices.

"The real question is about unprotected sensitive data. If the data is properly encrypted using a trusted encryption system, then, to a large degree, the existence of sensitive data is of low risk as the destruction of the password or key renders the data unusable."

"The problem is that this doesn't happen as much as it should, and the BYOD (bring your own device) culture will cause further issues as organisations may have to work harder to control data on those devices," he adds. "As with many security issues, an ounce of prevention is worth a pound of cure - strong policies on mobile device usage, along with technical controls such as CASB (Cloud Access Security Broker) and MDM (Mobile Device Management) to enforce and limit use and protect data, should be used to reduce the risk."

Cloud Computing Security: Foundations and Challenges
amazon uk

As data continues to proliferate, having a detailed policy that defines how data is destroyed, and, just as crucially, managed if it's going to be retained.

"The retention policy is the other side of a destruction policy and determines for the organisation, which data should be kept for what purpose, and for how long. Armed with this information, the organisation can then decide how data of different sensitivities or retention requirements can be used - including where it can be stored, who can access it, and how it may be moved. This level of control will reduce the number of different scenarios which need to be covered by formal data destruction."

Wonham suggests sensible data destruction policies will then determine the "minimum acceptable means" by which data is destroyed, whether that's physical data or electronic data. What's considered "acceptable means" will vary depending on the scenario. These could include throwing away a password key for an encrypted device or the physical destruction of a device or storage medium. It's important to note that regulators will require evidence of this destruction, whether it's done in-house or by a third-party.

"Destruction policies can be, in essence, quite simple," explains Wonham. "More complex is the implementation, as even reasonably small companies will need to track all forms of storage media used by the company in order to destroy data in line with privacy legislation, subject access requests or other retention policy requirements.

"Again, controlling the dispersal of data during its lifecycle will provide more confidence that these requirements are met."

GDPR banner

Maintaining value under GDPR

Perhaps one of the most important tenants of GDPR are the rights to subject access and subject consent. Data subjects have never had as much control over how their information is processed and stored, and these require comprehensive data management strategies to both track and destroy data with confidence when required.

"Organisation need to pay more attention to the data management issues which are driven by external compliance such as GDPR," Wonham explains. "They should look at the lifecycle of the data to determine where they should or should not be used, and how processes can intervene to ensure compliance.

However, Wonham suggests this does not need to be done at the expense of value, unless such value was traditionally obtained in contravention of lax data regulations. "Instead, good data management reduces data proliferation and duplication, and can go some way to reducing cost and friction within the data lifecycle, and not just reducing the risk of non-compliance."

The Ultimate GDPR Practitioner Guide: Demystifying Privacy & Data Protection
amazon uk

The future of data destruction

It's this regulatory pressure that will drive security and IT teams to ensure they have better control over data regardless of the device and format that it's stored on. The best way to ensure that control, for both protection and destruction, is to use encryption in its various forms, however businesses should be looking to adopt a wide range of complimentary policies.

"Gartner looks to tools like MDM, CASB, DLP (Data Loss Prevention), and digital rights management, as being a portfolio of methods by which clients can achieve better compliance in a diverse set of endpoint and other storage systems," explains Wonham.

"However, companies need to get a good handle on the what, where, how, who and why of data management first, otherwise the tools will offer much less value. Organisations that take a primarily tool-based approach to compliance with privacy regulations, or even the protection of intellectual property, will struggle to get effective control over data, its use and its protection."

Taking control of destruction

hard disk

There are a variety of techniques that can be used to erase data. Specialist companies can offer degaussing services, where a powerful magnet is used to erase the data from a drive, however, it's also possible to scrub a device using software.

It's vital to match the type of data destruction your business needs to carry out with the needs of the data owner. To help inform this decision, the International Data Sanitization Consortium has a handy infographic that defines the options available.

Cybersecurity Essentials
amazon uk

Did you find this article useful? Comment below or follow us on
Facebook, Twitter or LinkedIn.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.


We would like to invite IT Security Professionals from the UK to join our other contributors in providing high quality articles for our website.

To enhance IT Security Centres credentials and to offer an opportunity for other IT Professionals and IT Companies to share their work, information and ideas.

We are always happy to hear from other IT Security Professionals and look forward to your incite. please contact us for more information.

Popular News

Jun 13, 2020 IT Security News

Microsoft announces major issue in Windows 10 June 2020 updates

On 9th June, 2020, Microsoft released cumulative updates for supported versions of Windows 10 including version 2004, ve...

Jun 12, 2020 Cyber Security

NHS email service fooled users in phishing attack

NHS Digital is contacting users of its NHSmail email system after a small number of mailboxes were compromised in a gene...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

Jun 09, 2020 Cyber Threats

Common types of cyber-attacks and how to avoid them

With cyber-attacks on the rise, businesses are constantly worried about losing vital data and the threat is very real. ...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

Jun 12, 2020 IT Security News

100,000 cheap wireless cameras sold in the UK are vulnerable to hacking

Consumer advocacy organisation Which? has issued a warning over the security of wireless camera brands made by China-bas...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 28, 2020 IT Security News

UK virus apps highlights tension between privacy and need for data

As more UK and European governments turn to tracing apps in the fight against the coronavirus, a deep-rooted tension bet...

Jun 09, 2020 IT Security News

Self-employed targeted by hackers with HMRC SMS phishing scam

Cyber criminals have launched a new phishing scam designed to steal personal and financial details of millions of self-e...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

Jun 08, 2020 Cyber Security

Ransomware attack compensation: What the UK public think

UK consumers believes businesses should stand their ground having suffered a ransomware attack and refuse to negotiate w...

May 28, 2020 IT Security News

Defence tips to stop a trojan invasion

Knowing not to open email attachments from unfamiliar addresses, or even the email itself, is a vital step to preventing...

Jun 11, 2020 IT Security News

UK government still can’t decide how NHS contact tracing app should work

A new report today says that the UK government still hasn’t decided exactly how its NHS contact tracing app should wor...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 22, 2020 Cloud Security News

Overwhelming majority of UK organisations now confident in public cloud security

UK businesses are extremely confident in the security measures offered by public cloud service providers.

Jun 25, 2020 IT Security News

NCSC catch a million phish

The National Cyber Security Centre has received the millionth submission to its Suspicious Email Reporting Service. ...

Symantec Home 120x60