Now that the dust has settled and the wave upon wave of GDPR opt in emails have subsided – how have we all learnt to be GDPR compliant?
GDPR swept in a set of new data privacy rules that govern the handling of EU members’ data no matter where it occurs. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher. But throughout all the confusion during the run-up, one fact remained incontrovertible: that on May 25, 2018, GDPR would become enforceable. And now it is.
Our team went to a local bar/restaurant and when it came to paying the bill our Director was first refused the choice to pay by cash and when paying my card was told they do not provide printed receipts but emailed receipts instead. Is taking a personal email to send a receipt now violating GDPR? The grey area of retrieving people’s email addresses is plain to see here with no choice of supplying an email address to receive a receipt or not taking a receipt at all – which is not recommended.
The confusion on the staff member’s face when explained to about GDPR is one probably shared by many.
The Newnight team wanted to establish the different ways in which computer hard drives should be destroyed in order to ensure that no sensitive data could be obtained from them. Nick Menzies and a film crew attended Data Eliminate’s central London Destruction Facility which is approved for use by Her Majesty’s Government Departments and Agencies. The Newsnight team were shown the different methods of destruction available including physical destruction by shredding or crushing, degaussing or secure overwriting.
Data Eliminate’s Destruction Expert, Julian Fraser, explained that crushing or punching of the drives was the method most likely to have been used in the case of the Guardian, because it was possible to do this in a meeting room with a minimum of mess and noise.
“Degaussing and crushing of hard disks can be done on site in central London in an office block. Hard disks can then be then be taken to a destruction facility using secure transport for shredding into small pieces,” Julian explained. He continued, “Shredding is the best way to dispose of hard disks. The problem is that it requires parking for a shredding vehicle and can be noisy. That’s why we have a facility within 1 mile of London Bridge where customers can come and watch their disks being shredded.”
The Newnight camera crew took various pictures of hard drives being shredding, crushed and bent. Many of which were seen in the package shown that evening on BBC2.
Secure Removal of Data and Mobile on-Site Destruction
Every organisation whether public or private sector has responsibilities to the Data Protection Act. All organisations must ensure that data does not fall into the wrong hands. One of the essential components of the Data Eliminate service for recycling WEEE, is the destruction of sensitive information held on data-storage devices. laptops, personal computers and server hard disks in addition to media such as CD’s, DVDs, floppy discs, data tapes and video tapes which accumulate over time. Destruction can either be carried out at the customer premises or back at Data Eliminate’s secure destruction facility.
Data Eliminate deploys several different methods for erasing sensitive and confidential material on devices used for data storage. The chosen technique depends on the type of technology used to store the data and the sensitivity of the information concerned.
Data Eliminate has a number of shredders especially designed for data destruction purposes. The shredders and disintegrators are mounted on vehicles to suit a number of purposes. The shredders are able to reduce all types of computer media including data tapes, computer hard disk drives DVDs, mobile phones and thumb drives into very small particles. Depending on the media concerned and the sensitivity of information, particle sizes may range from 20 mm² down to 2 mm².
It takes much longer to shred a hard drive down to 6 mm sized particles than it does to reduce down to 6 mm. The cost of doing the latter is therefore greater. In most cases, there is a standard of commercial best practice which is widely used by public sector and private industry. This standard is either known as BS 8470 or EN 15713 and governs the secure disposal of sensitive information. Data Eliminate’s on-site shredding capability has British government approval in the form of a CESG claims tested Mark.
CSG are the information assurance arm of the government Communications headquarters (GCHQ) based in Cheltenham. CESG manages approval schemes for various products and services which are used by central government in information assurance. This extends to data destruction.
Destruction through Degaussing
Hard drives, backup tapes and floppy discs are examples of magnetic media. This type of media can be destroyed by a process called degaussing. Degaussing permanently removes confidential data on magnetic devices by destroying the magnetic field thereon. Degaussers cannot be used to destroy other forms of computer media such as CDs, DVDs or USB sticks. It is also the case that data from mobile phones and the very latest hard drives which use Flash technology cannot be destroyed by degaussing. These are also known as solid state devices (SSD). Optical and flash media devices must be crushed or shredded to ensure proper destruction of data.
There are other aspects of degaussing about which one should be aware. A degaussed hard drive does not look physically different after the degaussing process. If the procedure is therefore not properly managed, it is possible to get hard drives which have been degaussed confused with those which have not. The advantages of degaussing are that it can be a clean, quiet and quick process which can be completed within a normal office environment. For more sensitive government information a two-stage destruction process is required incorporating both degaussing and physical destruction via shredding or disintegration.
Erasure by Data Wiping
Storage devices which are physically destroyed using either shredding or degaussing may not be used again. If a customer wishes to reuse media items, particularly hard disk drives, sensitive data on the drive needs to be overwritten using specialist software. The length of time required to use the software to overwrite the hard drive is proportionate to the size of the hard drive itself. A large hard drive of say 500 MB or 1 TB may take a number of hours. Disk drives are getting bigger all the time so this is a growing problem although advances in overwriting technology are improving the overwrite speed. Overwriting has some problems as many of the disks are at least partially faulty or have bad sectors. This means that overwriting can sometimes fail, leaving no option but to physically destroy the drive concerned. Given the time taken to overwrite drives and the software licences needed, it can be more cost-effective to simply destroy the incumbent drive and replace it with another one within the computer or server concerned.
Data Eliminate uses three types of overwriting software: Blancco, Kroll on Track and Tabernus. The solutions are approved by CSG to destroy government data up to and including impact level 6 (IL6).
It is true to say that most customers who are concerned about the sensitivity of their confidential information choose shredding or disintegration as a means of destruction. Data eliminate enables customers to witness this process either at their own premises or at Data Eliminate’s central London destruction facility. Seeing your hard drive turned to cornflake sized particles is the most reassuring solution.
We have had a number of queries from customers about the SEAP 8500 (Security Equipment Assessment Panel) Degaussing Standard which is referred to in certain documents – official UK Government, NATO and otherwise on-line.
The SEAP Degaussing standard is frequently seen with reference to Weircliffe Degaussers. Weircliffe was a West Country based manufacturer of degaussers which went out of business a few years ago.
The SEAP 8500 degaussing standard is similarly defunct.
Weircliffe degaussers are not sufficiently up to date to reliably erase data on many modern hard drives and magnetic media.
Confusion arises as there is more than one UK or NATO organisation which has jurisdiction over data destruction standards for electronic or magnetic media. References made between, and to, different standards are sometimes out of date. To compound this, there are private sector companies who claim their product complies to a particular standard when (in most cases) it does not.
Finally, the above Degaussing Standard should not be confused with SEAP 8100 – the physical data destruction standard which is referred to in HMG Information Assurance Standard No. 5 – CESG’s Secure Sanitisation Manual.
For advice on data destruction or HM Government Standards please call 0345-1234400.
The New London Walk In Data Destruction Centre based in Transport Zone 1 has reached the final of the Green IT Awards. The Data Destruction Centre enables Government Departments, City of London firms and other organisations to bring sensitive data on electronic media such as hard drives, back-up tapes and mobile phones for immediate destruction and enables the customers to witness the process.
The Secure IT Recycling Centre is located right on one of London’s busiest transport hubs for road, rail and underground services – being within 400 yards of two main aterial routes, a mainline rail and tube station and Barclays cycle stations. That makes it conveient to reach and environmentally friendly. It removes the need for lorries and vans to enter the centre of the City, make a large number of small collections and then travel to a distant plant. It makes it easy for smaller organisations and private citizens to look after their data too.
The Central London Data Destruction Centre has made the finals of this years Green IT Awards in the following categories:
• Green IT Best Newcomer
• Environmental Project of the Year up to 100 Employee
Excelguard is a new, innovative offering combining services and leading security suppliers, that provides a holistic approach to data protection. The approach combines data discovery and audit from PixAlert; policy distribution and management software from MetaCompliance; eLearning solutions from VigiTrust; secure data disposal from DataEliminate; and risk assessment and remediation services from Excelgate Consulting.
“Despite the constant stream of data breaches reported in the press day after day, many organisations are overlooking some essential steps they need to take in ensuring that a data protection culture becomes permanent” says Phil Stewart, Director of Excelgate Consulting and Secretary and Director Communications at ISSA UK. “Creating a cultural change regarding data protection in an organization requires them to think holistically and remember that staff awareness of security policies and training need to becomes embedded, and not just a one-off exercise when a new employee joins or changes job role.“
Looking at where undertakings have been published by the Information Commissioner in the UK , committing organisations to improve data protection compliance, there is a common theme running amongst them. Nearly all the undertakings issued to date (88%) require staff awareness of the organisations’ personal data handling policy and staff training where appropriate. Most of the undertakings also specify “other security measures.. for the “accidental loss/ destruction [of personal data]”. The undertakings also highlight there are still too many cases where personal data is being left exposed: unencrypted, found in skips, in waste paper bins or left in cars or trains.
“Excelgate’s exciting new initiative provides customers with a 360 degree solution from setting-up simple and practical measures to deploying high-tech defences,” says Julian Fraser, Director of Data Eliminate, “It’s humans who represent the vulnerability in almost every case. Excelguard addresses that issue head-on.”
Excelguard Features and Benefits
• Comprehensive offering for data protection: from data discovery through to secure data disposal
• Delivers lasting change to corporate culture for data protection.
• Reduces the costs of compliance by ensuring data protection becomes second nature to staff.
• Both personal and inappropriate data (audio/ image) discovery.
• Data discovery highlights training needs across the business.
• Improvement to business processes and technical controls.
• Continual improvement in staff awareness and understanding of security policy through targeted compliance activities.
• Evaluation of staff to ensure they not only read security policies and procedures but that they understand and follow them.
• Evidential weight to validate staff awareness and demonstrate due care.
• eLearning solutions to allow staff training at participant’s pace and paused & resumed as required.
• Training for all company levels from board to end-user: demonstrating both legal obligations and day to day tasks for data handling.
• Secure data disposal means for destruction of personal and confidential data: whether PC, server, memory, disk or mobile device.
• All recycling of electronic waste is compliant with the WEEE Directive with effectively 0% going to landfill.
Julian Fraser will argue that technology, standards and compliance should all take a back seat when it comes to advancing the Information Security message to businesses and the public at large.
According to Fraser, “The information security industry is caught in its own vortex driven by complex technology, compliance and audit regimes. This makes it especially difficult to communicate with those outside.”
“The communication focus around InfoSec should shift to simple measures that can be taken to improve information security even before a computer is switched on,” Fraser suggests, “ Basic data hygiene, protecting sensitive data and disposing of it properly are things people can literally learn at home.”
Fraser urges the industry to find and appoint champions who can communicate such messages to the public at large.
“Once people have absorbed the simpler messages and begun to modify their behaviour, security and compliance might come back to the fore,” he summarizes.
Professor Sadie Crease of Oxford University and Colin Cowan, Head of Group Co-ordination, Intelligence and Investigations Security & Risk, Business Services, RBS will be joining Julian on the panel on 31st January 2012.
Data Eliminate Director, Julian Fraser, will be participating as a panel expert at the Information Exploitation Event at Security and Policing 2012 at Farnborough, Hants on January 31st January 2012.
The panel session is entitled “Security is a Dirty Word” and will explore the humanistic, language and education issues affecting information security as it moves centre stage in public consciousness. Julian will be giving his views alongside fellow panelists, Professor Sadie Crease of Oxford University and Colin Cowan, Head of Group Co-ordination, Intelligence and Investigations Security & Risk, Business Services, RBS.
ITV’s London Tonight featured a news story on Cabinet member Vince Cable on Friday 4th November. The Twickenham MP was exposed for leaving confidential papers in plastic recycling sacks outside his constituency office.
London Tonight sought the views of Data Eliminate Director, Julian Fraser, on best practice with regards to the disposal of confidential information. Julian was interviewed as a Data Protection Expert and explained that most data breaches were down to human error.
Judging by the fact that the whistleblower picked up papers over a number of months, it is clear in this case that there was no secure disposal policy in place and no practical security measures to protect the senstive papers.
Julian Fraser provides consultancy and advice to organisations on formulating proper data protection procedures. Morever, Data Eliminate assists with practical measures which include providing customers with secure containers in which waste paper and computer media can be stored until they can be shredded or destroyed. The secure containers help prevent pilfering and dumpster/dustbin diving.
The recent confidential data incident involving Oliver Letwin the came to mind early on Sunday morning.
On weekdays, DE IT Disposals has to deal with the bureaucracy, employment, health and safety regulations like other businesses. In many cases, we are also in a Catch 22 because in order to win an initial contract with a particular organisation, we require access to confidential information but this confidential data is only given to approved suppliers. If we don’t have access to the confidential data then we can’t quote. These organisations are correctly restrictive in granting access to confidential information. However, when senior officers like Mr Letwin discard constituency and other papers in public bins in St James’ Park, it makes a mockery of the system.
Watching Postman Pat and his friends this Sunday morning, I was reminded of Mr Letwin. In this episode:
Pat gives a lift of the lady shopkeeper in his post office van (likely a security and an insurance risk)
The lady shopkeeper lets her pet dog stand on the shop counter on which she sells food to customers (H& S nightmare)
Postman Pat transports his cat in his van without restraining the cat in placing it in a cat basket (a motoring offence)
When they release the hedgehog in the countryside, Pat and the local vet leave box in which the hedgehog was transported lying in the field – as litter polluting the environment.
Postman Pat, the lady shopkeeper and the vet’s comportment does no withstand scrutiny under today’s professional and commercial standards. Nor does Mr Letwins’s.