As of 2022, data breaches could quite literally cost your organisation 5% of top-line revenue, and those are just the legal costs.
So how do you even get started creating a comprehensive policy that ensures you’re disposing of data you need to dispose of, retaining what you need to keep, and guaranteeing that you have a record of all this retention and destruction?
We’ve prepared a simple, nine-step guide for just this topic. This introduction should at least give you a rough idea of how to get started with policymaking around secure data destruction.
1. Review what data you are storing and why
The very first question to ask is whether the data you are generating is needed or not. Re-engineering your entire data flow can save a lot of money in the long term. This process is a about risk management – which is something we’ll come back to time and again. Is the data you are storing valuable enough to warrant the risk associated with it?
2. Find out what information you have in the business
The next step for any business is to identify what data they have. Do you know what’s inside all those boxes? Does every record — physical or electronic, have a retention schedule? Is there any data in storage that is past its retention date and doesn’t need to be kept? We’ve seen businesses keep data for 10 years as part of historic policy, not realizing they are breaking the law because some of those records should be destroyed after five years. If you are storing personal data from anywhere in the world it is vital to understand whether you have permission to do so and how long, you can keep it. So an information audit, a retention schedule, and a secure destruction policy go hand-in-hand with lower risk.
3. Search your servers for ROT: Redundant, Outdated & Trivial Data
Boxes in storage are not the only place to search for data being kept unnecessarily. Servers across many businesses are full of data that is being kept even though it offers little or no insight. In some cases, this information is being kept in case it can be useful in the future, but more often because nobody thought to delete it. This might include duplicates because of forwarded emails, print-ups, and home working, but also data which was collected without any purpose. All ROT and dark data should be identified in an information audit and labelled for secure destruction.
4. Decide what to destroy and what to keep
Most businesses decide that there are certain types of documents that don’t need to be destroyed – and some that do. The equation to balance here is the cost of destruction against the level of risk, and this might depend on the type of data generated. Do you aim to be totally safe by destroying everything at source that doesn’t have to be kept? For instance, by insisting every bit of paper goes into a secure destruction bin at the office and is then removed by cleaners at the end of the day to be destroyed. Or do you want to focus only on sensitive data or data with a strict retention deadline? There is a cost analysis to make, too. Destroying all physical data is safer but also more expensive; this is something to discuss with your outsourced secure destruction partner.
5. Talk to your secure destruction partner about your needs
Many companies have found that trying to manage everything onsite themselves brings significant complications, especially if they generate a lot of data. By outsourcing it to experts, they can jointly decide on a policy and service that meet the needs of the business.
6. Consider the environment
When it comes to hard drives, there is a big decision to make. It is far better for the environment if they can be reused but this must be balanced against risk. Data can never be completely 100% removed – if a criminal is expert enough, and has the right equipment, they may be able to retrieve some of it even after it has been reformatted. If you have 50 old PCs in the office, and you know they haven’t had carried high levels of data (maybe everything is kept in the cloud or on a separate server, for instance) then destruction may not be required. Think instead of donating the equipment as part of your CSR campaign, perhaps to a school. The boost to reputation and the social media content generated are added bonuses.
7. Choose how often you destroy data
This is another decision which balances risk and cost. Destroying data as often as possible is clearly preferable, but also more expensive. It’s worth considering that less frequent secure destruction can lead to overflowing bins and increased risk – especially if it puts employees off using them. Similarly, a high volume of electronic data can slow down servers, cost money, and increase the risk of data breach. Businesses often like the idea of ad hoc collections – and this has been particularly prevalent during the pandemic, although this may come with added risk and cost. The bottom line is data and documents which no longer need to be kept should be destroyed as soon as possible after their retention date. Saving them all up for a big destruction burst once every year or two may seem cost effective, but it comes with a higher risk.
8. Choose your method of secure destruction
There are many methods of secure destruction and choosing the right one, in partnership with your secure destruction partner, is the next step. The answer is likely to be influenced by cost, by the type of data and by that magic word ‘risk’. How big a risk is it to the business if the data ends up in the wrong hands? All methods of secure destruction come with a certificate of destruction and confidence that the data is now irretrievable, but there are parameters. Shredded paper still exists at the end of the process, so for highly sensitive data a business may also want it pulped. Degaussing removes data from hard drives, but some companies will also want the hard drives ground down to dust. There are choices to be made.
9. Educate your employees
Once a secure destruction schedule is in place, it is vital that businesses also educate staff about how to abide by it. What bins should they use? What data must be destroyed and what doesn’t? What processes are in place in the workplace? Be realistic when approaching these questions. If you’re expecting employees to walk 50m to put paper records in a bin, the reality is they probably won’t do it. Hotdesking can also add to data risks in terms of personal data left on desks for others to see, so education is required to ensure data is being destroyed – and that people understand the value and sensitivity of it. Education and training are vital. But, of course, the most important thing is for a business is to start their data destruction policy journey – before it’s too late.