What is a Data Destruction Policy and Why It Matters
WHAT IS DATA DESTRUCTION POLICY AND WHY IT MATTERS
In previous decades, a data destruction policy was needed to ensure that paper documents and recording tape were shredded and destroyed. While that remains true in our current information age, the way data is collected and destroyed as well as the vast quantity companies now collect calls for far more rigorous data destruction policies.
What exactly does such a policy entail, and perhaps more importantly, why does having a robust data destruction policy matter so much?
What is a Data Destruction Policy?
Whenever an organization discards old or redundant IT assets such as computer hard drives, cell phones, or other storage media (e.g. DVDs, USB drives), a policy needs to be in place to ensure that any data stored therein is adequately rendered irretrievable.
These policies must be created within the organization and enforced in order to remain effective. When creating a policy for data destruction and disposal, it’s important to consider all of the relevant factors, so try to involve voices and opinions from different branches of your organization.
Why Should my Organization Implement a Data Destruction Policy?
In our private lives, a simple delete and clearing of the recycling bin – for most intents and purposes – might seem to be enough for some of us. But what would happen if your personal contact information such as an address, passport information, and/or contact information fell into the wrong hands?
If your personal computer has a potential gold mine of usable data, imagine how much data a large corporation handles on a daily basis. Businesses handling thousands of customers’ personal data cannot leave it to chance, so a robust policy for data destruction must be put in place and enforced.
Why Having a Data Destruction Policy Matters
There’s simply no getting around the fact that data breaches are growing both in number as well as magnitude. Some of the more infamous cases in terms of severity include Equifax, who had exposed nearly 150 million US accounts and had to pay over $700 million, and; Sony Playstation Network, where 77 million users’ personal data (far more than login information!) were exposed at a total cost of $171 million.
These are, of course, notable examples of data breaches. IBM has revealed that the average cost of a data breach is $3.92 million, but that’s a global average. In the United States, this figure is estimated to be $8.19 million, making it the costliest nation for data breaches.
It should be evident that having a data destruction policy matters now more than ever since secure data destruction and policies designed to better handle and dispose of IT assets are amongst the most effective means of minimizing data breaches altogether.
How to Get Started
There are plenty of details that may be specific to the circumstances of your organization, so the following is an overly general description of the core inclusions worthy of considering in a data destruction policy.
First and foremost, all company IT assets should be listed in an inventory, from USB drives to individual computer workstations. You may wish to further categorize each IT asset based on security levels, such as classified for hard drives containing sensitive data and low-priority for DVDs containing promotional marketing material, for example.
Next, create a plan for how your organization ought to discard redundant IT assets before they are disposed of. This could include, for example, using online or boot drive wiping software for hard drives as well as factory resets on iPhones and company cell phones. It’s always a good idea to follow up with a quality check to ensure that no sensitive data is left behind.
Last, and perhaps most importantly, you must find an effective way of disposing of IT assets with our precious environment in mind. As of 2021, nearly every state in the Union has data disposal laws that prohibit the improper disposal of media containing sensitive data. Wisetek is committed to a Zero-Landfill Policy, so rest assured that your organization’s IT assets will not contribute to the growing e-waste crisis. We also provide refurbishment and remarketing services, all within our circular economy model.
It is imperative that you employ the services of an IT asset disposition (ITAD) company such as Wisetek that is also NAID-certified to ensure that your organization remains compliant. These specialized companies often provide many ancillary services to better keep your organization safe, compliant, and at minimal risk to costly data breaches.
Important Factors to Consider When Forming a Policy
Any policy can be rendered ineffective if your organization fails to maintain good due diligence or lacks enforcement of the said policy. This applies to data destruction policies as well.
Everyone in your organization from entry-level employees to c-suite management should be aware of the policy, understand its contents, its importance, and how to adhere to the policy in their day-to-day tasks. This may necessitate additional training or workshops, or perhaps a company-wide email will do – this depends on what you think is best for your organization.
Another important consideration pertains to good record-keeping. Even with the assistance of an ITAD company for data destruction, you’ll want to have sufficient means to prove that your data is being disposed of properly and that your organization is exercising its proper due diligence. Always ask your ITAD company for data destruction certificates. Should your company ever face an audit, these documents act as proof and validity that IT assets are being disposed of?
Data destruction is a serious matter now and going into our increasingly digital business world. Policies pertaining to data destruction and disposal are therefore no longer a ‘good to have’ but must–haves, so make sure your organization is doing its part.