The stakes are too high for organizations not to comply with data privacy regulations. For example, noncompliance with the EU General Data Protection Regulation (GDPR) can result in a fine of up to €10 million or up to 2% of the organization’s worldwide annual revenue from the preceding financial year, whichever is higher.1 Crucial to data privacy and protection is proper data disposal. Morgan Stanley, a global investment bank and financial services institution headquartered in the United States, was fined US$60 million for improperly disposing of personal data.2
Disposal is the final step in the personal data life cycle, which begins with collection and ends with disposal (figure 1).
Figure 1—The Data Life Cycle
Most data privacy laws and regulations state that data must be collected for a specific purpose to the advantage of a particular project or a program and should reside within an organization’s system no longer than necessary—and only as long as the data subject actively consents.
Put simply, an organization must dispose of data if the data are no longer required for business purposes or if the data subject withdraws their consent.
An organization must dispose of data if the data are no longer required for business purposes or if the data subject withdraws their consent.
Data Disposal Methods
Data disposal is the complete destruction of data to ensure that they are no longer available, accessible or readable. So, how is data destroyed? Do data simply need to be deleted from a system? Before that question can be answered, it is important to understand that destruction should be performed based on an organization’s retention policy.
A retention policy defines an organization’s retention schedule, which provides the foundation for records management and legal departments to organize records and information, and describes the length of time that such records must be retained for legal compliance and business needs. Retention policies vary from one organization to another and across industries. A policy is based on the business requirements and the external regulations with which an organization must comply.
When an enterprise has referenced its retention policy, it can use up to 5 methods of data disposal:
- Data anonymization—Altering data so that the data subject is no longer directly or indirectly identified. This process can be done by tokenization, which is transforming a meaningful piece of data into random characters. Tokenization is widely used in the payment card industry (PCI) to protect cardholder data (CHD) and in the healthcare industry to protect private information (e.g., protected health information [PHI]) and minimize the risk of information leaks while maintaining data integrity. This method prevents the organization from using the collected anonymized data in marketing efforts or for personalization of the user experience, because the user is unknown.
- Data deletion—Removing data and leaving them in a recoverable state. This is different than data erasing, which refers to the permanent deletion of data such that they can no longer be recovered. When data are deleted, the operating system (OS) deletes the pointers to the data in the file structure. Even when using the Shift+Delete command in a Windows OS or the Command+Shift+Delete command in macOS, the data can still be recovered using data recovery software. The same applies to deleting the contents of a system’s recycle bin. Hence, data deletion presents risk to the organization because deleted data can still be recovered.
- Data crypto shredding (for encrypted data)—Deleting the data encryption keys. Without the keys, it is impossible for data to be decrypted while in any of the 3 data states (i.e., data at rest, data in transit, data in use). If the data are encrypted, why should one care about what happens to them? Because encryption strength can be weakened over time as computing power grows. Crypto shredding is effective as long as there is an encryption service protecting the data.
- Data degaussing—Wiping data permanently from magnetic media by weakening the magnetic field to sanitize digital media and completely erase their contents. Data degaussing can be performed on certain types of storage devices, but is not applicable to devices that use solid state drive (SSD) since SSDs do not store data magnetically.
- Data destruction—The complete physical destruction of storage tapes, disks and/or other forms of electronic media. The only consequence of this method is the cost of losing the destroyed device, because it will no longer be useable.3
An organization can choose a disposal option depending on its business needs and the importance of the data it stores. The most effective approach to data destruction is to use degaussing before performing physical destruction, because degaussing sensitizes the storage media, so there is no risk in the event that the destroyed device is reassembled.
The Importance of Data Disposal
Imagine there are many sets of personal data stored in an organization’s database, but the data are no longer used and have no value to the organization. The organization is forced to continue to dedicate energy and resources (e.g., data storage space, staff, network security measures and devices) to store and protect the data. This increases overhead costs and further complicates data classification. All the while the unused data are unnecessarily exposed to potential risk while remaining in the system. Proper disposal of unused data helps ensure that this scenario does not become a reality.
In addition to the legal penalties and fines an organization may face for being noncompliant with data disposal laws and regulations, when an organization experiences a data breach, data are lost and may be published by the party who performed the breach. To preserve public trust, the organization must address the incident and notify the data subjects whose data have been stolen.
Conclusion
Typically, when an organization realizes it is in possession of data that are no longer required, it is because employees have not been accessing those data on a daily basis, which can result in overlooking data protection measures and making data vulnerable to breach.
Certain regulations require organizations to enforce a retention policy for deleting data. To be in compliance with those regulations, enterprises must take data disposal seriously and abide by the data subject’s right to have their personal information deleted if they withdraw their consent for the organization to use and process their data.
In addition to compliance, understanding the importance of data disposal can help organizations protect personal data from being leaked via data breaches, which, in turn, prevents the organization’s reputation from being damaged and saves the cost of remediation efforts and/or additional storage space.
Endnotes
1 Wolford, B.; “What Are the GDPR Fines?” Proton Technologies AG
2 Coble, S.; “Morgan Stanley Fined $60m Over Data Disposal,” Infosecurity Magazine, 20 October 2020
3 ISACA®, CDPSE Review Manual, 2020
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Why (and How to) Dispose of Digital Data” episode of the ISACA® Podcast.
Bassel Kablawi, CISM, CDPSE, COBIT Foundation, ITIL v3
Is an information security and data privacy consultant.