Data retention minefields: Disposing of data will only grow more pressing

With over 50 years’ expertise in secure data destruction, we understand the regulatory landscape around destroying data is only growing more complex, trickier to navigate, and perhaps most importantly: more costly.

Aside from the risk of heavy fines, securely and compliantly destroying data is extremely important in protecting your personnel, your customers and your corporate reputation from information breaches or loss. In other words, the pecuniary consequences of non-compliance with regulatory requirements can be far worse than the fines themselves.

The General Data Protection Regulation (GDPR) - and other similar legislation - enforces regulations that can cause companies to face unforgiving penalties for compromising client data. GDPR, of course, is only the beginning. Internationally, governments have reacted to public concerns around data loss quickly, with a host of similar legislation springing up over the past 5 years:

So not only do international organizations have to grapple with GDPR, which requires any company doing business in Europe and even some outside to abide by its provisions but extra layers of complexity such as the legislation listed above. These are being developed and implemented all the time. The new regulatory landscape is uncompromising and unforgiving. The public now expects their data not just to be managed with care, but to be disposed of when no longer required.

The fines attached to non-compliance around destroying data are also growing in scope, and courts have shown they have the resourcefulness to enforce these. We’ve spoken to one of our most experienced Records Management experts to gain a better understanding of where these risks are most likely to be found, as well as highlighting some illustrative examples. We’ve also provided a brief primer on how exactly data ought to be destroyed.

What our Records Management experts say:

Peter Foy, our Quality and Compliance Manager in North America, is well acquainted with advising clients on risk assessment.

One aspect of this is personal data, and increasingly more so in the next five to ten years. Companies face hefty penalties and fines due to recent scandals and mismanagement of data, enforcing the adoption of GDPR.

“One of the big changes is the definition of, and penalties for, disclosing Personally Identifiable Information (PII) now; so should the materials (and not just paper records, but electronic data in the form of hard drives, etc.) not be disposed of properly, i.e. shredded, you’re at serious risk of fines. Remember that what constitutes PII has been broadened through recent legislation too, so you may not be up to date in your assessment of risk.

There could also be several fines depending on where you are and what was breached, due to GDPR’s and many other laws' extraterritorial reach. You could also potentially face greater liability in the form of civil lawsuits from those whose PII was breached should it get into the wrong hands.”

He also explored a different area of the risk, where physical documents, sometimes overlooked in more digitally orientated economies, could be a potential liability.

“If you don’t destroy them when you are legally able to destroy, this could potentially be a ticking time-bomb. This is something courts will actively look at: how long was the time lag between the ability to destroy and when it was destroyed?

If you don’t destroy something that you could have and face any kind of legal action, you may be obliged to produce those documents and the consequences of what they contain. However, if you destroyed them, then you can simply produce evidence that they have been destroyed and face no further ramifications.”

Stricter penalties with legalities becoming stronger

As you’re probably aware, under the GDPR and similar laws internationally, companies that fail to protect customer data face potentially crippling fines from the Information Commissioner’s Office (ICO), which is sanctioned to issue fines of up to 4% of the offending organization’s revenue in the previous financial year.

Before the ICO could only legally fine companies that breach data protection around US$ 650k. To most of the larger organizations that manage a lot of data, this amount is almost insignificant, considering the severity.

Now the penalties are stricter than ever and there are many examples of massive corporations that have been hit with equally massive, public fines.

As just one example, following an extensive investigation, the ICO issued a fine to the famous British Airways for infringements of the GDPR.

British Airways was hit with an - approximate- US$ 230m fine by the ICO. This amount is far more significant and has a far greater impact on organizations that are in breach than the previous approximation of US$ 650k.

User traffic to the British Airways website was being diverted to a fraudulent site. Through this false site, customer details were collected by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. This underscores the dangers of long-term data retention, even if there is a business case for it.

Famously, the Cambridge Analytica scandal part of the Facebook group featured considerably in the news during 2018 and 2019. Facebook was hit with the maximum fine allowed under the General Data Protection Act 1998. Facebook barely avoid a catastrophic fine, which could have been in excess of US$ 10bn had GDPR been in effect.

This shows the importance of injecting rigor into policies around data retention, part of which relates to securely destroying data you no longer require.

So how is data “securely destroyed” anyway?

Secure destruction is the process of destroying information on tapes, disks, paper documents, graphs and other forms of electronic and physical storage. Information destruction is to the point that it is completely unreadable and cannot be accessed or used for unauthorized purposes (reformatting a hard drive is not effective anymore). When electronic data is deleted, it is no longer readily accessible by the operating system. However, deleting a file is not enough; data destruction programs must be used to ensure data is considered irretrievable.

At Crown Records Management, your information is protected at every stage of the process from collection to transportation to final destruction. If required, waste sacks, locked consoles, bins or containers can be provided onsite to safely store information before collection. Collections are undertaken by trained and vetted staff. Our centers are secure, and access is restricted to authorized personnel only. After your materials have been destroyed, we issue proof and a legal certificate of destruction.

Securely destroying data and doing it on time is critical to any business. As we’ve explored, these legal requirements will only grow increasingly complex in the coming years. What this means for you is that understanding how your organization creates, disseminates and retires data holistically should be a foundation of how you do business. The stories we’ve examined showcase the now serious financial implications of not having a destruction process in place.

Want to know more about secure destruction? We have a complete guide on secure destruction coming out soon. Sign up here to get notified when it’s out.