It is almost a year since the General Data Aegis Regulation (GDPR) came into force. It has made a paramount impact on business demeanour: especially on marketing which has become more conscientious. It has also affected consumers who are maybe frustrated by having to opt-in to emails, continually accept cookies and substantiate acceptance of privacy rules.
Since the GDPR came into force with the new regime in place, over 95,000 data breaches have been reported across the EU, and data problems continue to be a hot topic in discussion, as well as fears of accidental GDPR non-compliance.
The GDPR remains a constant challenge for businesses. Organizations generally handle compliance well for devices that are still in use, but when replaced, they overlook the secure erasure of data stored on the device. This can potentially catch organizations out.
It is straightforward to forget about old devices. When providing a new phone or laptop, the concern is to get the new device working well rather than worrying about what happens to the old ones. This could be a bottom drawer, or an old cupboard, both common graveyards for forgotten devices, where they gather dust, until sent to the local dump sometime later.
This method overlooks the danger of housing a potentially serious GDPR threat, and the unrealised value hidden within a pile of old hardware. It takes minutes to securely erase these devices. Considering the results of GDPR non-compliance, the risk of holding onto replaced devices is not worth taking, especially when there is a profitable alternative.
There is an obvious distinction between deleting data and securely erasing data. Simply deleting data leaves a mark so a third party can recover the deleted data. Secure erasure destroys data and its recovery is impossible.
A threat of GDPR non-compliance arises from Article 17 of the GDPR, the right to erasure. Organisations must be able to prove that they can remove data properly and permanently, so the difference between deletion and erasure is paramount. In addition, criminals can recover deleted data from discarded devices and put it to use, giving rise to personal data loss, and perhaps financial fraud.
Data leakage can expose to businesses with a massive penalty. According to Article 83, violation can result in a fine worth up to €20 million, or 4% of an organisation’s total annual turnover from the preceding financial year – €40,000 for every €1M of turnover. It is still early days, and many of the reported breaches await a decision on penalties.
Further information about reported data breaches around the EU and particularly Malta will be discussed during the GDPR: One Year On Conference being held on the 5th June at the Intercontinental Hotel in St Julian’s.