Until recently the Information Commissioner’s Office (ICO) focused mainly on the public sector, but Simon Brailsford, Director of Sales, Advanced Data Destruction explains that the commissioner is increasingly looking at data protection practices in the private sector. SMEs, in particular, often fail to understand the business impact of failing to have secure systems in place to dispose of private data.
Companies falling foul of the law risk their reputation and possibly their business as the ICO is ramping up its fines which can run into six figures for data law breaches, in addition businesses that have been successfully prosecuted and fined can be struck off tender lists and lose customers through a diminished reputation.
Data destruction and IT asset disposal are heavily regulated and complex areas but ignorance is not bliss and will not let a business off the hook. No matter who is responsible in the organisation for the operational aspect of data protection and destruction, the chief executive or managing director is ultimately accountable.
This is even the case where an external company has been hired to destroy data. In one recent high profile case a Scottish council was fined £250,000 after sensitive documents were found in supermarket waste bins. The Scottish ICO said the local authority had ‘taken their eye off the ball’ when outsourcing and not carried out sufficient checks on the provider.
The process for disposing of redundant IT equipment and data can overlap a number of departments and functions, including IT, procurement and data governance. Mistakes often happen because just one person is given responsibility, leaving other areas of significance overlooked.
So what are the necessary steps businesses can take to ensure that they are fully compliant?
· If you handle any sensitive or personally identifiable data then you must have provision to destroy it securely and prove it when required. Check your internal processes and systems making sure that you have robust protocols
· Have someone senior in charge who can bring relevant departments together and who understands the consequences of poor security procedures
· Run regular staff training for key people on information security procedures. If necessary bring in specialists to advise
· Be mindful of data classifications. “Aggregation” and “Accumulation” of data often occurs at the disposal stage, where assets of all types are merged together, you therefore have to treat ALL assets as “Worse Case” scenario.
· Ensure you accurately identify all equipment marked for disposal and its data bearing status and maintain accurate records; you may be required to provide full end to end traceability
· Data Destruction Certification – you have to be able to demonstrate and prove your data has been destroyed using approved data destruction methods
· When using a third party be extremely diligent when checking their credentials and ensure that you are confident about their systems and their personnel. For example, have they carried out Criminal Record Bureau (CRB) checks and Counter Terrorist Checks (CTC) on staff, including any agency workers? Remember you are still liable for their actions!
· Have robust service agreements in place. This will show you have done your “Due Diligence”, carry out regular audits and remember a contract does not relinquish your responsibility. However, it may provide you with a course of action against the third party providing you can prove they are in breach of contract
· As you remain responsible, you must remain involved. Don’t allow your data to leave your premises, as out of sight is definitely not out of mind. You will find you are not insured against data loss whilst in transit
· If you are the CEO or MD ensure that you know what is happening to the destruction of sensitive data in your business.