GDPR and DATA DESTRUCTION – GETTING TO THE POINT

Like Data Eliminate, your organisation has most probably been inundated with emails urging you to become GDPR compliant before the world falls apart when the Regulation formally comes into force.

The GDPR is a substantial and complex document and our own experience is that most company’s promoting products and services on the back of it have little understanding of it. Here is our official GDPR page describing Data Eliminate’s key objective to provide customers with an asset disposal and secure data destruction solution which can be seamlessly incorporated into their GDPR compliance strategy.

So here is a simple bit of straightforward guidance about what your organisation should do with reference to data destruction in order to comply.

The first point is that destruction counts as a form of data processing like using the data for marketing, payroll services or similar. If your organisation owns the data and asks a third party to destroy it then your organisation is a Data Controller and Data Eliminate is the Data Processor.

The Regulation requires you as a Data Controller to have a written contract with Data Eliminate Ltd and it should contain certain clauses. See here for more information.

Secondly, the most significant provision of the GDPR to data destruction is the effect it has on the retention of storage of data. In other words, the days when you can leave large quantities of IT equipment or paper records in a storage cupboard and leave them there for years and years are over.  The GDPR requires you to identify all the different types of data your organisation holds and how long each type of data should be kept for.  In making this judgement, one is meant to balance the commercial needs of your organisation in retaining the data against the privacy needs of the private individuals (Data Subjects) whose Personal Data is held on the media in the store cupboard.  If you can’t produce anything meaningful to explain how you reached this judgement when challenged by an enforcement authority such as the UK Information Commissioner– then you could be in trouble.

Thirdly, is the simple fact that while data still exists (or is held on a hard drive, mobile phone or USB stick) it can be stolen and it represents a risk. Once it has been destroyed then the risk no longer exists. The fines for a data breach – which could result from old computer media being lost or stolen – have increased from £500k under the DAP to up to £20million Euros (or 4% of an organisation’s global turnover).  So, the fines help show this into sharp focus.

Fourthly, it won’t have passed your attention that, rightly or wrongly, the UK is leaving the European Union. It is planned that the GDPR will be incorporated into UK Law.  Even it is isn’t , and even when the UK has completely left, if your organisation holds Personal Data about citizens of the EU, then the GDPR still applies.   They key fact is that any Enforcement Authority in the EU can come after your organisation – not just the UK’s Information Commissioner.  It would perhaps not been that surprising in the circumstances if the Spanish, Slovakian, Slovenian equivalents of the ICO cut their regulatory teeth by taking to task some errant UK companies and organisations.

In Data Eliminate’s view, GDPR and data destruction is no more complicated than this.

If you require further information or guidance then please contact us on Tel: 0345-1234400 or use the Enquiry Form.