GDPR WARNING: Why Not Shredding Your Data Could Cost Your Company Millions
Contributed by Sussex SEO
19 October, 2018
The GDPR (General Data Protection Regulation) came into effect in May 2018, with the aim of introducing new rules to govern the acquisition, processing, and storage of various forms of personal data. This personal data is limited to only that of EU citizens. What this means is that any business in possession of EU citizens' data must comply with the provisions of the GDPR.
The GDPR covers the storage and management of all types of personal data, regardless of what form a company stores it in.
An essential element of the provisions of the GDPR's rules is that companies should take a much stricter approach to securing storage information and handling data breaches. Failure to comply will result in the business being liable to pay a fine that can be up to the tune of EUR20 million. Alternatively, the business could pay a fine of 4% of its global turnover.
As can be seen, failure to properly manage client data leading to a breach of GDPR rules, can result in costs running into the millions.
"Companies have to focus on not having data stolen or lost due to failure to properly store or shred data on their part. By paying attention to how and where data should be stored, and how it should be destroyed, companies operating in the EU stand a better chance of avoiding GDPR fines." Adds Daniel Barns from Advanced Data Recovery.
Your approach to data destruction has to comply with GDPR rules. If your current approach doesn't, it is crucial to create a plan that complies with GDPR provisions regarding proper data handling, storage and destruction. You can get on the right path by first carrying out an overview of how your company operates, to get a clear understanding of how and where data in your possession is processed.
This isn't always as simple as it sounds, because contrary to assumption, data may be stored on a variety of servers both in and outside a company. Data may also be used or stored on various company computers and devices including that of employees (private laptops, tablets, and so on).
There can also be cases of data being stored in print as paper copies. This in particular can be a big problem when it comes to GDPR compliance as there is no specific laid down process for safe destruction of such data. Avis Budget Group recently had to deal with this problem.The danger of not effectively wiping old computers before throwing them out
Special focus also needs to be given to private and sensitive data left on corporate computers that are thrown out or given away. More attention is being drawn to the fact that innocent and not-so-innocent people have been purchasing second-hand laptops and computers from companies. Those with the right technology can retrieve sensitive information from the hard drives of these computers. This can happen even if the computer was formatted before being thrown out or sold. With the right data recovery software, a person (such as a cybercriminal or thief) can retrieve sensitive information such as login details, bank statements, and more from discarded company computers. In most cases, the company is under the impression that the systems have already been completely wiped clean, when in reality the data is still retrievable.
Many previously-owned hard drives on the open market today still hold recoverable data, which can pose a data breach risk for companies and their clients alike. An Information Commissioner's Office (ICO) report recently revealed that from hundreds of hard drives purchased from an auction, more than half of the drives still had sensitive information from their original owner on them, including passport screenshots, bank statements, and medical records - all of which could be used for blackmail, fraud, identity theft, and other crimes.
A study undertaken by Dr. Simson Garfinkel involving 236 hard drives purchased online from eBay also revealed a similar problem. Over 300 unique credit card numbers were recovered from 7 of the hard drives in Garfinkel's study. Another of the hard drives turned out to be formerly part of an ATM and contained 827 distinct PIN numbers. There was another hard drive which came from a medical centre and contained over 11,000 distinct pieces of patient information, including credit card numbers on it. There was another study, this time carried out by Kessler International. During the study, out of a hundred hard drives randomly purchased, forty of them were found to still contain recoverable sensitive information including banking details, corporate spreadsheets, business finance records, personal information, emails, user logins, and other data.
All these studies point to one crucial fact - companies need to take all necessary steps and comply with GDPR rules concerning the destruction of data, especially when getting rid of the devices the data was formerly stored on.
For a more comprehensive perspective regarding the dangers and the potential costs of failing to properly wipe data from a system or shred data, here are just a few examples of sensitive data that can fall into the hands of cybercriminals:
- PIN numbers
- Passport numbers
- Employee records
- Email addresses
- Driver licenses
- Credit card numbers
- Social security numbers
- Phone numbers
- Personal addresses
- Health data
- Bank account numbers
- Tax records
With this data, a cybercriminal can commit identity theft with ease. Criminals can commit credit card fraud, employment-related fraud, loan fraud, bank fraud, phone or utilities fraud, and even tax fraud with this data. Any one of these can cost a company millions, and that's not counting GDPR fines.
Following the provisions of the GDPR concerning the management and destruction of data is essential for all companies operating in the EU. If your company operates within the jurisdiction of the GDPR it's in your best interest to follow the regulations to prevent millions in fines, as well as the incalculable cost that comes with cyber-theft.
« Go Back to Articles