Disposing of data storing IT and electrical equipment under GDPR
How do you dispose of data storing IT and electrical equipment? Is this in line with the General Data Protection Regulation (GDPR)? Even those organisations that have carried out a comprehensive data audit, registered with the ICO, updated their privacy notice and put policies and procedures in place might have overlooked what they need to do with redundant IT under GDPR... Destroying personal data on electronic devices
In our recent webinar answering GDPR questions from IFAs, we were asked about whether businesses need to destroy personal information on data storing IT before getting rid of it.
It might be helpful to think about your computer or phone memory system like a filing cabinet full of folders, each folder with paper documents inside. If you wanted to destroy a paper file, you would put it through a shredder. The problem is that in a computer or phone when you press ‘delete’ it’s not the same. Pressing ‘delete’ is more like taking the name tag off a paper file or folder. You can’t easily find the information - but it’s still in there and people can still read it if they got into the filing cabinet.
So how can you really remove information from an old computer or phone? The answer is a process called ‘eradication’. This process completely removes all data and then overwrites the memory cells with random numbers. It doesn’t just do this once, it can be done many times meaning that by the end of the process there is no real chance that anyone could recover the original information.
What’s wrong with physical destruction of data storing IT?
Another option is to physically destroy the data storing device but we suggest you avoid this for a number of reasons:
If you don’t know exactly what’s in your computer or phone, you may not destroy the important bits that have the information on them
You can probably sell your old device for a bit of cash once it’s been wiped, or donate it to a local charity that really needs it
There are some pretty special materials, some hazardous materials and lots of plastics in computers and phones - just smashing them up and putting them in the bin is pretty bad for the environment
Sometimes it’s not possible to eradicate the data from a device - but in that case it’s best to get a specialist company to destroy the item and prove to you it’s been destroyed.
Find out more about IT security
Data eradication is just one part of IT security that you need to think about in your business. For more information on this and other actions you should take to protect personal data and become GDPR compliant, subscribe to Astrid today.
Protect your business - become and remain GDPR compliant with Astrid