It seems that everyone at the moment is talking about the General Data Protection Regulation (GDPR) that will come into force in just over a year; and rightly so with the hefty fines (up to 4% of your annual turnover) that you could suffer if you incur a data breach. With the increasing news stories of companies who have fallen victim to rising data breaches, how can you ensure that you are handling your company’s information correctly? When the time comes to dispose of your data, you need to ensure you remain compliant and that you adhere to industry standards.
As a result of the above, the role of those involved in IT, information security and data protection has become increasingly complex. You need to ensure that your redundant data is disposed of securely, in an environmentally responsible manner and is completely destroyed to avoid the risk of a data breach. But what standards and certifications are out there that can be used as a guidance to benchmark against?
The Asset Disposal and Information Security Alliance (ADISA) is a great place to start. They award partners that adhere to the highest industry standards which reflect current best practice for handling data. If your data destruction partner has an ADISA certification you can have reassurance that your data is being handled in a compliant manner.
The international ISO 27001 standard is another good foundation to adhere to. ISO 27001 is an information security management certification that ensures the correct security processes are in place when disposing of IT assets and data. Holding this certification demonstrates a vendor’s ability to manage confidential information to the highest security standards.
The ISO 27001 has two main sections that relates to data destruction.
1. Section A.11.1.2 relates to IT equipment and states that, “all items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use”.
2. Section A.8.3.2: relates to disposal of media and states that, “Media shall be disposed of securely when no longer required, using formal procedures”.
When retiring of your redundant IT assets you must identify which devices contain data. From the obvious servers, PCs and laptops right through to smartphones and printers, you should verify whether or not media is contained within your equipment prior to its retirement. You then need to choose a data disposal partner that securely destroys the data beyond recovery. This can be achieved by shredding the media, such as hard drives, tapes, CDs, DVDs, USBs etc. into debris no larger than 20mm in diameter providing guaranteed destruction of the data. A Certificate of Destruction should also be received.
So when you need guaranteed destruction of your data, ensure you pick a fully accredited partner that adheres to both ADISA and ISO 27001 standards to safeguard your data and ensure that you remain compliant.
Contact DiskShred to learn more on how we securely destroy your data whilst adhering to the highest security standards.