The Importance of Having Policies on Data Destruction
Nowadays, as the outlay for storing data decreases, our collection and creation of data increases just as quickly. We have difficulty letting go of old data in case we may be able to use it again. So with lowering costs in data storage, we store more and more of our data. Although many organizations actually need their data and use it more often than others (e.g. Google), they never have to get rid of any of their information. However, considering other businesses that are not in the same kind of work as Google, do they really need to store all that information? Is that information really needed at all?
Data Destruction Policies
Like an old hermit who doesn’t like to throw anything away, companies who store data (and probably have 5 to 10 years of data they have never gone back to) end up drowning in their own digital data swamp. There is a high probability that much of that stored data is outdated and unusable. If you haven’t gone back to it in 5 years, then it probably isn’t worth keeping. Therefore, to deal with all the clutter, it is time for your company to draft and implement a policy on what kind of data it should keep, and what should be disposed of, and when.
Much of the data mentioned here is digital data, so this covers a lot of binary code scattered around your computer storage system. There is a why, what, how, where, when and who in terms of destroying your data to prevent clutter and unnecessary disorder. By picking the right data to destroy, and by destroying data responsibly and properly, you could save your organization money in storage costs already.
There are processes involved in removing surplus data stored on your systems which are final and permanent. Further, this destruction is intended to be permanent to prevent data breaches and theft that may happen at any time.
The Crucial Need for Consistency
It is very important for every person in your organization to follow a uniform and consistent policy in data destruction. In terms of facing litigation, this kind of policy is very useful. By following a steady and constant policy to destroy data will help in minimizing fishing expeditions by third parties as well. “Safe harbor” protection of the Federal Rules of Evidence can be availed of if you have a regular process in business to address data destruction, should any litigation arise for your company. However, every situation differs in its own way but it is vital for managers to know that safe harbor protections can be availed of. This way, your tech attorney can get the most out of the safe harbor protection that your business needs.
It is likely that a data retention policy is already in place in your line of business, so the second part of your policy should already integrate the data destruction clauses. You are at an advantage if your business has a clear data retention policy because this way, you will know exactly what data is stored, where it is stored, and what data to keep or get rid of. It is helpful to map out the process by which data is stored so that you will have a clear idea of how to go about the process to destroy data.
For media that is retained and circulated within your company, and for data that leaves your internal systems, policies should exist on how to deal with both. A general rule that should exist through all the departments is that it is not enough to delete or overwrite (even if only circulated and used internally) data. In the cases when media is reused, the data destruction policy must be different from those applied when data leaves the company systems.
Processes must be made wherein your organization completely obliterates old data, validates that the file is gone and that the certain media can be reused, and finally documents the entire process once it is completed. Therefore, it is only when you complete these steps that stored data to be reused can be released again.
It gets harder when considering the information that leaves your company systems. When destroying old media or when reselling the same to a third party, additional processes in data destruction should be added to the data destruction policy. This has to cover the complete removal or purging of information, and maybe even the physical destruction of the same media.
When Data Destruction is Enough
Depending on the type of company you run, certain levels of data destruction can be applicable to fulfill your company needs. For instance, maybe your company is one that does not always keep too much digital data, or hardly relies on it, so simple deletion or overwriting is probably good enough for you. However, there are some companies that require complete pulverizing, shredding, and incineration of data to prevent breaches or other threats.
To find out what steps, or to what extent, data destruction should be taken in your organization you would have to refer back to the nature, rules, and regulations of your business. Many industries are already regulated by law and have to follow certain requirements. Some laws may require you to keep your data for certain periods of time. Some may require you to have periodical data destruction events. Check out your policies and your type of company to find out more about how to treat your data.
If your business is not closely regulated and you are still in the dark about how to create a data destruction policy, there are some existing standards that you could adopt. For instance, the United States Department of Defense has a pretty solid standard for data management and destruction. There are also local and international standards that you can check out to guide you.
Upon reviewing these laws and regulations that are applicable to your situation, you may need to add additional steps and processes that suit your company needs. This may include the step to classify each kind of data in your system, and rules on the management of the same. This way, you will know what data can be removed and what has to stay. This is also useful for companies that have classified information and trade secrets to protect. By classifying your data, you can regulate the controls on the use of that data, as well as increase the protection of that same data from compromises.
Teach, Confirm, and Monitor
Always remember to review your company contracts that you have with other companies so that you are sure to know all that is at stake when you decide to implement a certain data destruction policy. For instance, some contracts may specify non-disclosure agreements and data destruction processes to be applied which your company will have to comply with.
Teach you employees about the policy and how they can follow it. This is vital for the media that is being sold or recycled within your organization. Do samplings on different levels of destruction to further improve your processes. If you are doing in-house data destruction, be sure that all the equipment and software involved is in proper functioning order.
Remember to always document the whole data destruction policy and process so that you have a clear record of what was removed, what was maintained, and what can be improved. As you begin to implement your policies, you will find that you will gradually beef up your processes and policies to fit your company’s needs.
Lastly, always schedule a monitoring process to check on the status of your policy implementation. See if you are effective in some areas and find out the areas that need improvement. Overall, you will gradually create a data destruction policy that will match your company needs.