After two years of the information security industry repeatedly warning businesses that there was a herculean amount to do in terms of GDPR preparedness, British businesses still stumbled across the line in various degrees of disarray. Many had started to put things in place, but as readers of GDPR report will have seen from a survey Shred-it conducted and released in mid-May, many businesses were still totally unaware of GDPR, even just weeks ahead of May 25th.
So, it’s a safe bet that very few were able to get their house completely in order and much work has still yet to be done.
One critical area where action had yet to be taken was on identifying the legal basis for holding data, with just 1 in 5 businesses having done that when asked back in April. To manage risk of regulatory fines and reputational damage, companies need to establish which data they’re allowed to keep, and which data has got to go. They then need to get rid of it effectively. Here are the top five tips when establishing and executing a successful data deletion and destruction policy:
1. Identify the data you cannot hold – GDPR is fairly clear on the legal bases for holding data. The chances are that if you do not have consent, a contractual agreement, a legal obligation or a legitimate interest, you probably need to delete some of that data. More information is available on the Information Commissioner’s Offices’ website. For much of the data you hold, it will probably be relatively easy to establish that legal basis, whereas some might require more discussion with legal teams.
2. Don’t be hasty – Yes, becoming compliant is important as soon as possible, but it is a journey. The worst thing a business can do is panic and then realise that they have deleted data that was critical to business operations and that they had a legal right to process. Complying with GDPR is imperative, but it should be done as part of a larger, strategic data management and destruction programme
3. Document your efforts to institutionalise GDPR best practice– The ICO, the body responsible for GDPR in the UK, has indicated that they are not on a witch-hunt and firms that can demonstrate good faith efforts to comply and protect the information of citizens need not fear. So, if for any reason your organisation does fall victim to a breach or is randomly audited, it is critical to showcase the policies and steps that you had put in place. For example, be prepared to show that employees were trained on how to use public WiFi, the need to report a lost device, how to dispose of sensitive paper documents, what data they are allowed to hold on to, etc.
4. Do not just send data to the recycling bin or chuck it in the waste bin – Binning sensitive documents in the regular recycling creates a vulnerability and even when deleted, data lives on and can be recovered from physical hard drives and mobile devices. If you do not currently have clear end-of-life procedures for sensitive documents or devices that store data, these need to be put in place now. Whatever the format of data, organisations need to assess the effectiveness of their destruction efforts – is there any chance this could come back from the dead?
5. Implement a Clean Desk policy – Data from Shred-it’s recent State of the Industry report suggests that employees are prone to leaving confidential information scrawled upon their desks and up on screen for prying eyes. A Clean Desk policy, where employees are encouraged to keep minimal documentation on their desks at all times, and to clear down at the end of each working day, can significantly mitigate risk. This means no documents left on display, laptops safely locked away or in the employee’s possession. Reduce your “physical” attack surface.
There are many ancillary benefits to some of the steps outlined above. Businesses that commit now to ensuring their data deletion policies are comprehensive across both digital and physical formats are significantly mitigating their risk of fines and admonishment from the regulator.
By Neil Percy, Vice President of Market Development EMEA, Shred-it
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/