A survey of more than 650 european companies shows that more than 80% of IT managers in Germany, France, Britain and Italy know nothing about the content and impact of the new European Data Protection Regulation (GDPR), which will be published next year.
While 51% of respondents believe that the new rules will affect their data management strategy and their data destruction processes, 61% reported that they have not taken yet any concrete measures to ensure the necessary adaptation. More than half of the firms (55%) have neither checked nor adjusted their processes for data destruction so far. 25% of all respondents also indicated that they have no process for data destruction in place.
This is all the more surprising since the new EU regulation, also known as GDPR (General Data Protection Regulation), intends to improve the protection of personal data in Europe. With its introduction in the coming year, the regulation will turn “the right to be forgotten” virtually into law and companies will be committed to comply more than ever with personal data protection for the data collected by them.
Although data protection in Germany is already relatively well established by means of several regulations and acts, in contrast to many European countries where personal information can be sometimes dealt with in a very lax form, the new Data Protection Regulation goes far beyond this: It requires all European Union-based companies to erase personal data on request or when they are no longer needed by the company. At the same time, companies are prompted to use verifiable procedures when processing personal data.
When questions about the currently active data destruction processes are asked, it becomes clear that there is still much to do in the business community: More than half of all companies (55%) have established active processes for their desktop or laptop devices and 42% also for their storage systems. But the outlook is rather bleak concerning data destruction for mobile portable devices and external cloud systems: only about one-third, or 8% of all companies have integrated a data destruction process into their data management.
THE PRACTICAL IMPLICATIONS
In addition to typical information types (i.e. name, national identification number), the Regulation’s definition of personal data has been expanded to encompass ‘modern’ identifiers such as IP addresses, cookies and location data.
When personal data is no longer necessary for purpose, consent to processing (which must be explicitly provided) is withdrawn or the agreed storage period has expired, secure erasure must be performed. This applies whenever data about an EU citizen is (among others) collected, stored, structured, transmitted and disseminated, regardless of which country or device hosts the data.
Consider just some of the typical examples that illustrate the various erasure requirements across most modern organizations:
- A customer exercises their right to erasure or their data is no longer required due to the end of a contractual agreement. Whether the storage is private or public cloud-based or locally held, measures must be taken to remove that data. This could range from individual files through to whole servers or huge virtualized environments held in a Storage Area Network (SAN).
- An employee leaves the company for new pastures. Their PC/laptop, phone and any other storage used by the employee to perform tasks (virtual machine, tablet, USB drive) must now be erased to ensure that personal or other sensitive data is removed.
- Faulty hardware, including storage such as SSDs and HDDs, are returned under warranty (RMA) after a period of use. Prior to return, actions must now be taken to ensure the destruction of data from these assets, in order to ensure prevention of a data breach.
- A technology refresh results in many storage assets used by employees and IT infrastructure being replaced. This results in significant volumes of assets to erase and other data sanitization requirements, such as when data is being migrated to new hardware.
All of the above requires evidence to prove compliance, including the demonstration of effective technical measures to protect the erasure rights of data subjects. In addition to this, verifiable proof that the aforementioned actions are indeed being implemented must be made available on request.
Therefore here is still a lot to do before the GDPR is enacted across Europe. It is better to deal now, before it’s too late, with the necessary measures and integrate them into existing processes or establish completely new ones. After all, what many people don’t know is that penalties for companies who violate the new rules are serious: up to 250,000 euros, or 0.5 percent of annual sales for minor offenses and up to 100 million euros, or 5 percent of annual sales in severe cases. Therefore it’s worthwhile, as proposed by the EU, to introduce verifiable processes for data destruction and the appropriate tools.