How to create a Data Disposal Policy

Organisations of all types and sizes now have an ethical and legal obligation to dispose of data systematically and effectively. It is a central theme of the GDPR, for example, and a key element of being totally accountable and transparent in data protection.

Many organisations already have a written policy on the whole topic of data management, asset governance and cybersecurity. However, it’s good management practice to also have a specific Data Disposal Policy.

This then needs to be communicated effectively to all staff, updated regularly and policed!

What goes into a Data Disposal Policy?

The first thing to set out in your Data Disposal Policy is the reasons it exists, and your organisation’s targets on this vital topic. This provides focus and credibility, showing why adherence to the policy is so important.

For example, your targets could be: disposal of time-sensitive and confidential data in a systematic manner; ensuring this is completed across all devices the organisation uses; cleaning or destruction of computer systems, electronic devices and electronic media when appropriate; and IT disposal that takes proper account of data destruction and also leads to reuse or recycling of hardware. IT recycling links with your organisation’s Environmental Policy.

Clarity on who the policy is aimed at is important, including which suppliers and subcontractors are covered by its mandates.

You need to create a series of measures that provide a framework for safe data disposal. This would be a step by step guide for the entire lifecycle of your data management. From how long (and in what format) your company stores short-term data, to complete data wipes when migrating to new systems or switching to new devices.

The Policy should also include the systems and timescales for monitoring and measuring commitment to the actions mandated in the policy.

It’s recommended that the policy includes consequences for noncompliance. This is usually notification that staff who violate the mandates will face disciplinary action. Everyone must adhere to proper administrative processes, whatever their job role.

Data Disposal Policy helps flag up issues

Include contact details within your Data Disposal Policy. This should signpost your Data Protection Officer or other team members responsible for data management and IT asset management.

Also, what is the reporting procedure for issues with data storage and disposal? Anyone covered by the Policy should have a clear line of responsibility to follow, enabling them to ask questions and raise concerns with ease.

Audit regularly

Having a Policy in place is the first step, but you need to audit yourself against its mandates regularly to be sure it is being consistently and measurably applied. A schedule for regular checks should be built into the policy.

For advice and services related to data wipes and IT recycling, please contact AssetCare. We are always happy to help customers plan ahead, as well as dealing with current IT disposal needs.