Small and medium sized enterprises ignore the storage and disposal of confidential information at their peril. That’s according to a computer hardware and data destruction company, pointing to the Government’s regulator scrutinising private sector breaches of data protection.
Julie Pickersgill, pictured, operations director of Harrogate-based Advanced Digital Dynamics (ADD) Ltd says that small and medium sized enterprises often fail to understand the impact of failing to have secure systems in place to dispose of private data. She warns that companies falling foul of the law risk their reputation – and possibly their business – as fines can run into six figures for data law breaches.
On data destruction and IT asset disposal, the firm says, ignorance is not bliss. No matter who deals with the operational aspect of data protection and destruction, the business owner is ultimately accountable. This is even the case where an external company has been hired to destroy data. One case saw a Scottish council fined £250,000 after sensitive documents were found in supermarket waste bins. The Scottish ICO (Information Commissioner’s Office) said the local authority had ‘taken their eye off the ball’ when out-sourcing and not carried out sufficient checks on the provider.
What are the necessary steps that businesses can take to ensure that they are fully compliant? ADD suggests:
· Brush up on the difference between onsite and offsite destruction. Offsite methods increase the risk of losing data before it can be destroyed, whereas onsite methods enable you to stay close to the process and minimise risk.
· Beware of “free recycling” services. Reputable service providers will recycle redundant equipment or sell it on for re-use, and any value realised can be offset against the costs of data destruction and disposal. With an unconditionally free service it is difficult to prove your duty care and due diligence.
· Put someone senior in overall charge of the process, who can bring together relevant departments and allocate responsibilities, and who understands the consequences of poor security procedures.
· Run regular staff training for key people on information security procedures. If necessary bring in specialists to advise.
· Be mindful of data classifications. Aggregation and accumulation of data often occurs at the disposal stage where assets of all types are merged together, and it is then impossible to distinguish between lower and higher risk types of data.
· Ensure you accurately itemise and identify all equipment marked for removal and its data bearing status; this should be agreed at the point of sign-over and transfer. Maintain detailed records so that, if required, you can provide full end to end traceability.
· Be vigilant about where any redundant equipment is stored before proper disposal. Stacking PCs in a corridor potentially leaves your accountability in tatters so ensure that access is secure and controlled.
· Don’t be tempted to accelerate the process by removing hard disks before the specialists take over, as these must be tied up with serial numbers on the originating asset to fulfil traceability requirements.
· Be diligent when checking third party credentials and ensure that you are confident about their systems and their personnel. Remember you are still liable for their actions.
· Have robust service agreements in place and carry out regular audits; this will demonstrate that you have carried out your due diligence.
About Advanced Digital Dynamics Ltd (ADD) www.add4it.com
ADD based in Harrogate, Yorkshire, has been a distributor of computer hardware for 16 years. The company’s services include onsite secure data destruction and disposal of old hardware. ADD is the official UK and Ireland distributor for BarracudaWare and StorageCraft data backup products.
