The Importance of Proper Data Destruction

All modern businesses need to be clear about the fact that they do not and cannot own personal data. They cannot even own the personal data of current employees. They are simply permitted to use personal data for a specific purpose. Once this purpose has been fulfilled the data must be deleted.

Here Luke Watts, Managing Director of RoundWorks IT, shares his insights into how to properly destroy your data.

Understanding the data lifecycle

Post-GDPR, there are only 6 acceptable reasons for collecting personal data. These are contractual obligations, legal obligations, legitimate interests, vital interests, public interests and consent.

Of these, consent is by far the weakest ground. This is particularly true in an employment situation. The law recognises that there can be a significant imbalance of power between an employer and an employee.

Most businesses will probably use contractual obligations and legal obligations as their main grounds for processing data. They may also use legitimate interests but this is typically less common.

The data may only be used for the specific purpose for which it was collected. If businesses want to use it for any other purpose, they must seek additional permission. The data may be kept for as long as it is needed. Once it has ceased to be required, it must be fully deleted.

GDPR and statutory retention

GDPR recognises statutory retention periods. It does, however, require them to be adhered to accurately. For example, if you have a statutory retention period of three years, GDPR requires you to delete the data as soon as that period is over.

Why GDPR emphasises data deletion

There are two main reasons why GDPR emphasises data deletion. The first is that it makes it harder for businesses to use data for unauthorised purposes. Reputable businesses would not do this. Sadly, however, not all businesses are reputable.

The second is that all data held by all businesses is vulnerable to data breaches. Enforcing proper cybersecurity can do a lot to minimise this risk. Unfortunately, it can never be totally eliminated.

This risk is acceptable when you are using the data for a purpose that benefits the data subject. It becomes unacceptable if you are simply holding the data because you have not got around to deleting it.

Data deletion protects against reputational risk

Even without GDPR, it would still be in the best interests of reputable businesses to delete data as soon as it was no longer needed. Despite the serious penalties GDPR can enforce, the most serious penalty of all is likely to be the reputational risk of a data breach.

How to ensure data is properly deleted

An effective data-deletion process is built on a foundation of effective data management. It, therefore, starts by knowing what data you have, why you have it, where it is and who has access to it.

If you know this, it should be possible for you to set up automated protocols to ensure that data is deleted in a timely manner. It may be possible for you to automate the deletion. If it isn’t, you should be automatically prompted to take the necessary steps to delete it.

Additionally, it’s strongly advisable to have a process for wiping devices remotely. This protects the data (and hence the business) if a device is lost or stolen (or not returned when an employee leaves).

All data must be under robust access controls at all times right up to the point when it is deleted. This includes during transport. For example, if you send a hard drive to a specialist firm to be completely wiped, you need to ensure that it is not compromised in transit.

In addition to knowing what data needs to be deleted and at what point, you also need to know what approach to use. Just hitting delete or restoring factory settings will not completely wipe data. If you’re not confident that you can delete data effectively yourself, hire a specialist to do it for you.