What happens to your old work desktop, laptop or mobile phone when it is no longer suitable for use? For the most part, businesses use an IT Asset Disposal (ITAD) company to destroy any hardware that has reached its end of life.
Using an ITAD or third party external partner is probably the most common scenario for businesses. The sheer volume of redundant or obsolete IT equipment that a small to mid-sized enterprise generates each year is significant enough for over 400 UK-based ITADs to stay in business.
Remarkably, in many businesses robust data asset destruction processes still don’t exist – and where they do exist the probability is that they are flawed. Why? Because they rely on employees taking a sensible approach – and we all know the risks associated with involving humans.
Just consider the numerous examples where businesses have failed to take the destruction of IT equipment seriously enough:
- Hundreds, even thousands of data laden devices are stored in locked, or even unlocked store cupboards. These are vulnerable to theft or loss.
- Recycled IT equipment is regularly posted for sale online without sufficient erasure of the data it once held. Employees can be looking to make a fast buck by auctioning off ‘forgotten’ IT assets that should have been securely destroyed months or years ago.
- Company laptop bags have been handed over to the IT team after use, and then to third party disposal organisations without being checked. This can leave legal documents, credit cards and mobile phones at high risk of theft and the data accessed and leaked.
This lacklustre approach to the safe disposal of physical data assets cannot, and should not, continue once GDPR is introduced. Highly secure businesses that need 100% assurance that the data asset has been destroyed cannot afford to take this risk. They need to be confident that processes are in place for the safe destruction of equipment and eradication of sensitive data.
Typically, these businesses operate within the financial, legal, military or government agency sectors and don’t want to rely on third party ITADs to destroy physical data assets that have had highly sensitive information stored on them – they want to keep things in house, and this is where DataRaze comes into its own.
The fact that businesses in highly regulated industries are increasingly looking towards data destruction rather than data erasure, underlines their understanding of the risks associated with incomplete data erasure.
How can businesses make sure data is disposed of correctly?
Recycling IT equipment using a third-party provider has become a standard component of business operations in recent years. Even so, many businesses are still wrestling with the challenge of securely disposing of their IT equipment. The simple fact is that without a robust, end to end chain of custody, organisations will struggle to demonstrate the level of data control required under GDPR.
Here are some key questions to ask the person responsible for your data security:
- What is the process for managing end of life equipment?
- Who oversees that data is erased or drives are destroyed correctly?
- Is there a robust asset management model for tracking equipment throughout its entire lifecycle?
- Is there an audit for end of life disposal?
- Where is the central control and oversight?
The only way to be absolutely sure that highly sensitive IT data assets are destroyed is to shred that asset and have a detailed audit trail that stands up to the scrutiny of the Information Commissioner’s Office.
For example:
- Hard disk shredding to 6mm is the Centre of Protection of National Infrastructure Standard.
- Serial number, rack number/location, drive make/model and the date/time of failure can all be inputted and recorded into the system before an asset is shredded.
- Photograph’s of the IT asset and a video of each shred can be taken to provide confirmation that the data destruction has taken place, which can be shared with any internal or external auditor.
Ensuring End of Life is Essential.
In this era of exponential data creation, businesses need to create and follow stringent audit processes across the entire IT lifecycle – from cradle to grave. Therefore, it is essential for businesses to ensure end of life equipment is not only recycled correctly, but is also subject to a rigorous processes of destruction.
