Recent events have once again put cyber security back at the top of the boardroom agenda. Most likely every business operating in the UK has revised its data security policy and vowed to invest more money in strengthening its defenses. But why should it take an attack on the scale of ‘WannaCry’ to kick start business leaders into action and focus on security, and is any available budget being spent wisely?
Business are still reacting to flaws within their data security, rather than taking the necessary steps to protect themselves – and their valuable data assets; a classic reactive instead of proactive approach. The easy option is to outsource IT security to a third party, and therefore outsource the responsibility should a data breach occur. For example, many businesses outsource their IT support and still rely on IT Asset Disposal (ITAD) companies to handle the secure destruction of valuable data assets. There are around 400 ITADs in the UK at the moment, making it a competitive marketplace. However, it is believed that just 10% of those ITADs will be able to provide the level of assurance and proof of secure data asset destruction required under the General Data Protection Regulation (GDPR) which comes into force in May 2018.
GDPR changes the game for businesses that outsource their data security, data management and data disposal. Businesses can no longer outsource responsibility to third parties. If they have failed to ensure that robust data security, data management and data disposal processes are in place, then they will be held responsible.
The current Data Protection Act should ensure that businesses have a handle on the risks associated with data storage and retention, but GDPR provides further scrutiny of data management, with very significant penalties for businesses that fail to safeguard personal data.
Take control of your data security
With this increased scrutiny, can businesses rely on third parties to provide the rigorous chain of custody assessment and absolute proof of data disposal that the Information Commissioners Office (ICO) will demand? The joint liability under GDPR places the onus on any business to demonstrate a highly robust data asset destruction process. Therefore, outsourcing responsibility without looking for chain of custody evidence is not going to cut it with the ICO in the event of a breach.
Organisations need to understand that different data types are subject to different levels of sensitivity and management requirements. Demands of data retention, update and deletion are becoming more specific under GDPR. One of the biggest areas of risk that remains, because it is routinely overlooked, is the way in which end of life equipment – and its associated data – is decommissioned. Who is managing the safe destruction of the data held on data assets? How confident is the business that data is being completely destroyed? And where is the unquestionable proof that an asset is, in fact, destroyed and not likely to appear for sale online?
It is time for businesses to take ownership and control of their data security. Reliance on third parties without robust evidence of good practice will not achieve compliance under GDPR. There needs to be a shift of focus from reactive investments in response to high profile events to a clear, proactive strategy that safeguards data assets throughout the entire cradle to grave lifecycle.
For more information on GDPR, what it means for your business and how to protect yourself, download our eBook – Data Destruction: The Weak Link in Data Security.