EU's new tough data protection regulation, GDPR (General Data Protection Regulation), is now effective across EU (European Union). The GDPR (2016/679) replaced the Data Protection Directive 95/46/EC and superseded the Data Protection Act 1998 on May 25, 2018; governing organizations on protecting and processing EU citizens' personal data responsibly.
GDPR is arguably the most arduous regulation (not just directives) to strengthen the Data Protection Laws that EU has ever yielded. It took years to write GDPR and several amendments were made before it came into effect. The General Data Protection Regulation now gives users more control over their data and makes it mandatory for the institutions to provide auditable records to prove the user data is safe with them and is securely erased based on the guidelines laid by the GDPR. It makes organizations responsible for protecting user data from various breaches and provides access to data only to whom it belongs.
Who is affected by GDPR?
Most organizations around the globe are affected by the GDPR. The regulation is applied to all companies and organizations, whether public or private, doing business with the European Union and its citizens. These organizations are bound to follow the regulatory guidelines when dealing with EU citizens and their data.
Organization retaining user data will be responsible for any data breach if it happens. They need to ensure compliance with GDPR through the implementation of various technologies, processes, and system. Also, a formal written record of each data processing activities including records and proof of data erasure or destruction is required to stay compliant.
Importance of Compliance and Risk
There were numerous occasions when EU citizens' data was breached in the late 2000s. One of the most recent is Facebook-Cambridge Analytica Scandal. In addition, mass surveillance programs that came into light; remember Edward Snowden's revelation of Five Eyes Network. Another example of such surveillance is PRISM. These breaches paved the path for strong data protection laws and regulation such as GDPR.
The key points of GDPR highlight clear guidelines on several rights as mentioned above and one of them is 'right to be forgotten' or ' right to erasure' mentioned in the Article 17 of GDPR. It clearly states that users have the right to request erasure of their personal data related to them and organizations retaining/collecting user data in any form must securely erase it when requested by the user unless the organization holds legal right to retain the user data.
The organisation will also have to inform the user as when their data erasure request will be completed, including erasure from backup systems. Most importantly, it is mandatory to show the proof of secure erasure during audits that user data was responsibly and securely destroyed as per users' request.
In case an organisation fail to comply, the fine is as high as €20M (maximum) or 4% of total company turnover, whichever is higher. Besides, losing the reputation in the market and public image that can severely affect the business.
How to Securely Erase User Data to comply with GDPR
As an organization, you must know that simply deleting data or formatting the drive containing user data is not enough. Deleted and formatted data can be easily brought back with data recovery tools or services even if the drives is destroyed by drilling, shredding, or gets damaged by natural disasters like storms, floods, or fire.
Several CSO commits oversight when disposing of used assets at the end of life. You as an organisation need to be careful while disposing of the storage assets, such as hard drives, used to store user data. If those storage drives not erased properly before disposal or recycling, it can cause data breach and failure to comply with GDPR.
Fortunately, today there are several secure data erasure software available that helps you sanitize user data and creates automated erasure audit trails to meet the needs of internal and external information security audits and stay compliant with data protection laws & regulations.
BitRaser is a Software-based data sanitization tool for securely erasing hard drives, Solid State Drives in PCs, Laptops , Servers and other rack mounted storage devices. BitRaser uses 27 internationally recognised data erasure algorithms, such as US DoD 5220.22-M, NIST, NATO, British HMG IS5 (3 passes) ; German Standard VSITR (7 passes) and so forth, to destroy data from both magnetic drives and flash media permanently— beyond the scope of recovery. BitRaser provides 100% tamper proof audit trails to help organizations meet statutory compliance obligations.
Of course, you have the option to destroy data from drives by physical destruction, which makes drive unusable, however this option comes with risks as outlined below.
Risks associated with Physical Destruction
Physical destruction is not a permanent solution since it is mostly done offsite, which means sharing access to users' data with the third party that can result in a data breach. You can also accomplish data sanitization by techniques like degaussing that permanently destroys the hard drives magnetic property used to store data, making it unusable.
You do have an option of onsite physical drive destruction but that is not only dangerous to the environment but also is not foolproof as data can still be recovered from the large broken pieces of magnetic disks.
On the contrary, the software-based data sanitization with secure eraser tools provides entire control in your hands. You can accomplish the erasure process on-premise and without employing any third party services. This brings you one-step closer to become GDPR compliant.
GDPR brings great relief for the EU citizens but also a great responsibility to organisations working in the EU markets. To continue your business in EU, you need to be compliant with data protection law otherwise face massive penalty and social boycott similar to what Facebook faced after Cambridge Analytica. It is most crucial for small to the medium organisation to be ready and compliant as GDPR is already here.
Being GDPR compliant not only save you from hefty fines but also helps you stand out as a reputable organisation that respects users' privacy and their data. This also includes securely erasing user data from your database with their consent along with written auditable records to stay compliant with internal and external audits.
BitRaser is a great software based tool that provides secure data erasure from PCs, laptops, servers and storage environments utilizing internationally recognized erasure standards. BitRaser generates 100% secure & tamper proof reports and erasure certificate for audit trails, thereby facilitating GDPR Compliance for all organizations.