While data privacy conversations have more traditionally revolved around identify theft issues, GDPR prioritizes the fiduciary responsibility of all sensitive and personal information. GDPR mandates data privacy across all storage media and within all facets of an organization, which requires a comprehensive compliance program that includes data destruction.
Safeguarding sensitive data throughout an organization is critical and includes such protective measures as firewalls, passwords, physical security measures, encryption, and employee training. What is also a critical need is end-of-life drive destruction to ensure that PII is never leaked or breached from a failed or discarded drive.
Because PII is literally everywhere, including stored emails and passwords, login information, and transactional history, as well as medical, financial, and employee records, basically ALL stored data contains some type of PII. Further, because GDPR mandates a significant financial penalty for data breach and leaked PII — 20 million Euros or four percent of annual global turnover, whichever is greater — ensuring that PII is never leaked or breached must be of critical import to all organizations.
To illustrate the pervasiveness of PII, let’s look at the medical industry: a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.
Because data today is stored on servers or in the cloud — which is still data stored on a server, just in a data center — a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. Any organization who inadvertently leaks data through a discarded or recycled drive is still financially responsible for the leak.
With stories of data being retrieved from drives purchased on eBay and PII procured from dumped drives in Africa being sold to criminals, it is clear that data security at end-of-life requires attention. There is no better way to ensure that sensitive data never falls into the wrong hands than to completely destroy the drive at end-of-life.