How GDPR will affect data disposal

An increasing number of businesses are recognising the benefits of recycling their computer hardware instead of destroying it. Cleansing data and then allowing a company to reuse their older obsolete computers is a cost-effective way to upgrade a system. However, making sure that confidential data is properly wiped is of paramount importance. Not doing so would risk leaking confidential information to the public.

One way of tackling this problem is the GDPR. The General Data Protection Regulation was created in order to protect the privacy of citizens of the European Union. By the end of May 2018 all companies within Europe and those who may have European customers must follow the new rules dictated by the regulation. Failing to do so will incur significant sanctions and fines.

How does it relate to data disposal?

One of the benefits of the GDPR is the ability for users to be better able to delete unwanted or incorrect information about them from the internet. The “right to be forgotten” has now been replaced by a “right of erasure”. Data subjects can now request personal data be deleted. One of the reasons one can put forward for this is “lawlessness”. Therefore, if data is leaked in a way that breaks the law the victim now has an increased amount of power when it comes to controlling the amount of damage the leak will cause.

In the event of a data leak the data controller is legally obliged to notify the authorities. They must do this within 72 hours or they will be in breach of EU rules. Individuals must also be notified if the data leak is likely to adversely affect them.

What must businesses do?

Under the new rules an organisation is legally obliged to ensure that the data stored on recycled computers is destroyed in a safe and irreversible manner. This must be done as soon as the hardware’s use and retention period has expired.

Therefore businesses should make sure that all data on decommissioned hardware is erased, whether it be the company’s own or information stored on other people. The EU has recognised that cyber criminals are using misplaced data stored on disposed computers. A company must never assume that their data is inaccessible just because the hardware is severely damaged. Under these new regulations said data may only be destroyed by an approved and certified method.