In today’s business environment every bit of information is valuable. Most of the time information is translated and stored as data either from customer contacts, email communication, sales projection, proprietary information and many other forms critical for business function.
All this sensitive and important data is stored on electronic devices or across a network of devices. In the older era most data were contained in paper where it could be easily destroyed when needed by shredding it through the paper shredder. Not so when it comes to data stored digitally. When wiping out and deleting data on modern devices is not done in a proper way, data could still be retrieved. This in turn could lead to data leaks and data breach. When this data falls to the wrong hands it could lead to many unwanted repercussions for businesses from loss of customers, loss of revenue, noncompliance, brand damage and even prosecution.
The first critical step in safe disposal of data devices should be in the form of a policy regarding data security and data disposal. Organization must draw up proper policies and designate an employee who would be responsible to tailor policies for their organizations. In Europe, the EU General Data Protection Regulation (GDPR) for public sector requires employment of a Data Protection Officer. As such it would be good practice for private organizations to follow suit.
Secondly education of the policies to employees are important as policies is pointless if employees is aware of it. Ensure that all employees who has a role in processing, managing or storing organization or customer data, knows what steps they should do with end of life data assets. Even if employees are aware of the end of life data asset process, they should be educated to understand the risks of a data breach and to ensure that they understand the importance of following the processes with considerable effort.
Next organizations must determine how drastic the destruction process should be. For example, if data held on the devices is extra sensitive, organizations may need to physically destroy the hardware in addition to wiping them. Less sensitive data may not require such thorough action. Regardless of the severity, the best way to protect organization against negligence is to have a representative from the business witness the destruction of the data asset and ensure a Certificate of Destruction is issued in accordance with the latest industry regulations
Further organization could appoint a trusted supplier that can help organizations establish a defensible, documented and repeatable process to prepare, handle or transport and destroy data both onsite or offsite, using methods that comply with global standards. This is important as some hardware might be sold to third world countries.
Finally get certified. When organizations secure IT asset disposition strategy is certified to comply with regulations such as the EU WEEE Directive and the ISO14001 Standard, organizations can prove their compliance. These standards ensure that old electronics would not:
- Be sold to developing nations
- Be dumped in landfills
- Be at risk for security breaches of any kind
Adhering to these standards can help protect organizations private data, reputation and bottom line.