With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.
For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.
The Criticality of Following GDPR
Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.
You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.
Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.
Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.
Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.
So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?
GDPR-Compliant Data and Drive Destruction Best Practices
GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.
At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.
It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.
For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.
Weighing the True Costs of Data Breaches
We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.
The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.