What are the penalties for GDPR non-compliance?
Evidencing data erasure and destruction is no longer just a requirement for end of life equipment. When GDPR (General Data Protection Regulation) went into effect on May 25, 2018 it radically altered the way that personal data is collected, processed, stored and disposed of. The regulations also present an opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and gain a competitive edge. With maximum fines for a GDPR compliance breach set at 4% of an organisation’s worldwide turnover, or €20 million (whichever is greater), it is imperative that businesses recognise their responsibilities and put measures in place to fulfil their legal obligations.
The right to erasure
Under Article 17 of the GDPR, organisations must adhere to customers’ right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. It requires organisations to completely remove all the data they hold on an individual if that person requests it. The organisation must also be able to prove they’ve properly wiped their records with an auditable process.
The difference between deletion and erasure is often misunderstood and is sometimes thought to be the same thing. The concern is that many companies might think simply restoring factory settings or wiping a chunk of data will suffice for GDPR compliance. It is important for businesses to understand that if data is deleted it is recoverable but if it is erased properly it is irretrievable. Without using the right data erasure tools and software, organisations cannot be sure that sensitive data has been removed.
How to erase data properly for GDPR compliance
One way to achieve total data erasure would be to smash up your hard drive. Thankfully TXO provides a secure disposal service to our clients and are committed to the highest standards of responsible telecoms recycling. With our on-site hard drive destruction service, TXO arranges for a mobile shredding vehicle to attend at your premises, destruction takes place in situ and TXO generates a certificate of data destruction with a detailed asset register by part code and serial number. Alternatively, your hard drives can be destroyed at TXO’s facility. In this case, material is collected in a secure vehicle, the devices are catalogued by part code and serial number and then physically shredded to 30mm fractions. Again, with a certificate of data destruction produced for your records.
Hard drive destruction isn’t the only option. Luckily, there are software solutions available that permanently erase data bearing devices so they can be securely reused, resold or recycled without fear of inadvertently placing sensitive data in the hands of others. Where the client approves this option, TXO will wipe your hard drives using the industry leading Blancco data erasure software and provide certificated evidence that the hard drive or array has been completely wiped. Through our data erasure services, we ensure you stay compliant with the most rigorous regulatory standards, including the UK government standard of INFOSEC 5 (higher).
Where can you get more information?
There are lots of companies that offer to help with GDPR. TXO can certainly assist you when it comes to hard drive destruction and erasing data bearing devices so they can be securely reused, resold or recycled.
For more information on the regulation in its entirety, you could visit the UK’s Information Commissioner’s Office which has a section of its website giving advice and information or alternatively the European Union’s GDPR website which also gives some very good advice.
*Disclaimer: This post is for general information purposes only and does not constitute legal or other professional advice.