Data destruction is a key component of GDPR compliance. But what does that mean? Is it the same thing as data erasure? And what is the difference between these two terms in the context of GDPR? In this post, we explain all you need to know about data destruction under GDPR.
Table of Contents
The basics
Data destruction is the process of irreversibly removing all personal identifiable information from a hard drive. It’s important because, under GDPR, it’s one of the most effective ways you can protect your company from liability if your customers’ data is breached or stolen.
As a business owner or manager, you’re responsible for protecting customer data. This means you should have an understanding of what GDPR is and how to comply with its requirements in order to avoid paying fines and penalties down the line (which can be up to €20 million). Data protection laws are changing all over Europe as well as globally—in countries like India and China—and will continue changing in coming years as more industries become regulated by privacy laws such as these.
What constitutes personal data?
Personal data is any information relating to an identified or identifiable natural person. This definition is broader under GDPR than it was under the Data Protection Act, which will come into force on 25 May 2018.
- Personal data includes a name, photo, email address, bank details, posts on social media and online search history. It also encompasses information relating to an individual’s:
- Physical and mental health;
- Sexual life;
- Political opinions;
- Religious beliefs; or
Do all businesses processing personal information need to comply with GDPR?
You need to be compliant with GDPR if you process personal information. So, what is “personal information”?
Personal data is any information relating to an identified or identifiable living individual, who can be directly or indirectly identified by reference to an identifier such as a name, an identification number or one or more factors specific to the physical, physiological, genetic, mental, economic legal social status of that natural person.
For example: If a company collects and processes any personal data about individuals that it uses in its business activities – including employees – then that company must comply with GDPR. That includes processing such data for obtaining benefits (e.g., discounts) for employees at partner businesses like restaurants where they eat lunch together regularly and pay for meals individually using their corporate credit cards
How does the right to erasure apply in practice?
The right to erasure is a key part of GDPR. It gives individuals the ability to request that their data be deleted if it is no longer relevant, if they have withdrawn their consent for it to be processed, or if there are other reasons (such as processing being unlawful).
This new right has given rise to a number of concerns about how data destruction processes could be affected by it. For example:
- What if an organisation receives a deletion request from an individual? Should they just delete all of that person’s information at once? Or do they need a backup plan in case the individual changes their mind?
- How can companies ensure that their employees are compliant with the new rules when working with personal data (such as email addresses) via external suppliers or clients who might not themselves be compliant with GDPR?
What are the key principles of GDPR compliance?
There are seven key principles of GDPR compliance, which are:
- Data minimisation: The controller shall be able to demonstrate that its processing operations are limited to those which are necessary in relation to the purposes for which they were carried out.
- Accuracy: The controller shall take reasonable steps to ensure that personal data is accurate and, where necessary, kept up-to-date.
- Security: The controller shall take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Retention: Personal data shall be retained only for as long as necessary for the fulfilment of the purpose for which it was collected. When determining its retention period for personal data, a controller shall consider how long that information might reasonably be expected to be needed by the organisation (e.g., a tax return could last 3 years after filing).
- Portability: A person has the right to receive their own personal data from a controller in machine readable format so they can transfer it between service providers easily without hindrance from any party involved (such as by using cloud storage services like Dropbox). These rights don’t necessarily require you or your business hold onto all this sensitive info forever; just make sure you know what information needs storing long term!
What constitutes ‘appropriate’ measures and safeguards?
What measures and safeguards must you implement?
You need to take appropriate measures and implement appropriate safeguards to ensure that your data processing activities are carried out in accordance with the GDPR. In particular, the measures and safeguards must be implemented with regard to:
- The nature of your processing activity;
- The state of the art; and
- The costs of implementation
How can data destruction help an organisation get GDPR compliant?
In theory, data destruction is straightforward. In practice, it’s much more complicated: you need to make sure all of your data is properly erased before it leaves your control and that it’s not possible to reconstruct the data in any way.
If you’ve been paying attention so far, this should seem like a no-brainer—but if you haven’t been keeping up with GDPR headlines or are just getting started on the path toward compliance, then here’s why getting data destruction right is such an important part of ensuring compliance:
- Data destruction helps mitigate the risk of a breach by ensuring that there is no residual information left behind after disposal. The fewer opportunities for hackers to access sensitive information from your systems (and from where they’ve previously accessed it), the better!
- You need evidence of what has been deleted and how long ago it was deleted; in other words, clear records for auditors showing what has been destroyed and when. If someone does come calling about their personal details being mishandled by an organisation who could have reasonably known better than to keep them around longer than necessary (in other words: everyone!), then those audit trails would be invaluable as evidence that everything was done correctly during disposal (or ‘deletion’).
Data destruction is an essential component of GDPR compliance
Data destruction is a critical step in the process of GDPR compliance. Data must be securely destroyed in a way that can be verified, which means you need to know what your data contains, who has accessed it and when they accessed it.
Data destruction must also be compliant with local laws, so whichever method you choose to use for destroying your data should take into account what’s required where you live or work.
Conclusion
GDPR compliance is a complex and nuanced process that requires careful attention to detail. There are many things to consider when it comes to complying with the regulation, but there is no doubt that the key principles of data minimisation and data protection by design are at the heart of GDPR compliance.
