You and your organisation have an obligation under the GDPR to ensure irreversible, safe destruction of any data forms once their use and retention period have expired. This is to protect unlawful and or unauthorised access to such data. This obligation doesn’t only apply to live data but any data whether it be your own or other peoples which is stored on decommissioned IT hardware.
Theft and sale of stolen and or misplaced data which is used for illegal purposes is becoming highly lucrative and is a fast growing sector of the black market. Sophisticated criminals are using expert knowledge to steal valuable information. One of the major areas such criminals prey on is accessing data on broken or disposed of IT hardware. Don’t assume that because an IT item is broken it is data safe because you are more often than not terribly wrong. The only data safe option once an item is broken is to undertake destruction by a certified and approved method.
To be compliant with the GDPR, avoid enormous fines and bad press, it is critical that when you approach IT disposal you should choose the appropriate, compliant service provider; even when you attempt to do this it is easy to fall short and use a ‘bodge job’ setup. Sadly the vast majority of IT recycling organisations (which were setup after the WEEE regulations came into law in 2007) are barely competent in ensuring data sanitization of simple storage devices such as hard devices, never mind items such as firewalls, IP phones and router devices etc.
We have put together a simple checklist to help you protect your business and yourself.