The social and legal consequences of inadequate data destruction

Failing to destroy data held on storage devices and equipment can have devastating consequences for your business. The change to the data protection regime in May of this year, when the General Data Protection Regulation (GDPR) was implemented across Europe, including via the Data Protection Act 2018 in the UK, led to increased risk for companies failing to comply with data laws. Not only were fines and the powers of regulators increased, but the change in legislation raised awareness of data issues amongst an increasingly proactive consumer pool. This article sets out some of the key risks to businesses who don’t get rid of old data.

Loss of control of data

Failing to erase commercially sensitive and personal data from devices before their disposal, sale or return can lead to valuable knowledge being lost to third parties and even competitors (for example, if equipment is passed on). Even worse, the personal data of employees, customers or contacts may be transferred in breach of your obligations under the GDPR.

Time costs associated with data breaches

As well as the direct impact of a data breach, which we explore below, companies often underestimate the time costs associated with managing a data breach. Employees may be required to assist the regulator with investigations, to field and respond to queries from third parties, and to work to restore the company’s reputation.

Fines from regulators and disruption to the business

Data protection legislation applicable throughout Europe, and in many instances elsewhere in the world, means regulators are empowered to levy fines of up to 4% of global turnover or 20 million euros, whichever is higher. Not only this, but regulators can enter a business and require it to stop processing personal data if it has concerns. For some businesses this will have the catastrophic effect of requiring them to pause all business operations. A regulator is most likely to intervene or fine a company in the event of a data breach, but it can also choose to take such action by virtue of a general failure to comply, which includes not protecting personal data e.g., not disposing of it correctly.

Legal proceedings

Individuals and companies whose data is affected by your failure to dispose of it correctly can bring direct claims against you for their losses. We have seen class actions arise out of data breaches and expect these to increase under the new regime. Furthermore, some companies might even look to pass on their own fines if they feel an alleged failure to comply on their part has been caused by your actions (or lack thereof!).

Brand damage

Failing to take data protection and confidentiality seriously can lead to significant damage to your brand, whether or not you operate in the consumer space. Disorganisation in this regard suggests a lack of respect for personal and commercial confidentiality. With such issues highly regarded by increasingly aware societies, this could have a significant impact on your bottom line.