GDPR is a term that may sound vaguely familiar. The acronym, which stands for General Data Protection Regulation, was all over the news earlier this year. In short, GDPR is a set of rules implemented by the European Union to give EU citizens more control over their personal data. Its creators have called it the most important change in data privacy regulation in 20 years.
The world produces 2.5 quintillion bytes of data a day, and 90 percent of all data has been produced in just the last two years. Research group IDC predicts that by 2025 the world will be creating 163 zettabytes of data a year. (A zettabyte is one trillion gigabytes.) Since just about everyone today has personal data registered with banks, government institutions, healthcare providers, retailers and social media companies, GDPR has big implications for the businesses that collect, analyze and store that data—everyone from the smallest local store all the way to federal governments.
GDPR was created to ensure that organizations that are gathering data do so legally and that there are safeguards in place to protect that data once the consumer has handed it over. While developed in the EU, GDPR applies not only to organizations operating there but also to organizations elsewhere that offer goods or services to customers or businesses in the EU. This ensures a long reach that extends to major corporations no matter where they’re headquartered. With fines for non-compliance of up to 20 million Euros or four percent of annual global revenues, the stakes are higher than they’ve ever been for companies handling personal data.
How Does GDPR Relate to Active Servers?
GDPR obviously impacts the data stored on hard drives. For data stored on an active server, Article 15 of the GDPR guarantees that individuals can obtain their personal data from companies and discover how it’s being used. In order to respond to such subject access requests, organizations must be able to find that data on their active servers. Under Article 17, known as the “right of erasure,” an individual can request erasure of his/her personal data on one of several grounds and an organization must be able to prove that they can erase data properly and permanently.
The GDPR states that, “companies can reduce the probability of a data breach and thus reduce the risk of fines in the future, if they choose to use encryption of personal data.” Should the worst occur and there is a loss of media containing personal data that is likely to result in a risk of physical, material or non-material damages such as discrimination, identity theft, financial loss or damage to reputation, under GDPR this must be reported to the data protection authorities and would put the company in line for potential fines. As a form of risk management, having a data encryption policy in place is a win for the consumer as well as for the company.
How Does GDPR Relate to End-of-Life Drives?
Once data-bearing devices are scheduled for destruction, companies need to maintain and document a chain of custody throughout the destruction process. Working with a GDPR-compliant secure data destruction provider who can generate an audit trail for each step of data destruction is necessary to prove compliance with GDPR regulations.
Where Can I Find a GDPR-Compliant Recycler?
A GDPR-compliant secure data destruction provider such as Quantum will be fully accredited with relevant credentials such as:
- EPRA Reuse and Refurbishment Approval
- ISO 14001:2004 Environmental Management System
- NAID Membership
An appropriate secure data destruction provider will also give you a Certificate of Destruction at the end of the process.
If you would rather not worry about GDPR compliance and all that it entails for your data destruction needs, contact Quantum and discuss in-house destruction with their on-site portable shredder. You’ll avoid unnecessary complications and rest easy knowing that your data destruction will be safely taken care of and the security needs of your customers are top of mind.