Data center operators and IT teams are tasked with keeping operations running smoothly while balancing priorities such as governance and control of resources, orchestration, and scale, as well as compliance and technology updates. Managers are also on the line for obeying laws and regulations related to data privacy and data disposal. Not only do 32 states across the U.S. already have laws regulating data disposal, the implementation of the EU’s General Data Protection Regulation (GDPR) in May 2018 adds more complexity to the role of data center operators. Companies must now “self-police” themselves to avoid fines, but also to protect their customers’ right to secure personal information.
This post focuses on how enterprises must address U.S. data-disposal laws and the methods they can use to ensure data is securely and irretrievably removed from IT assets, meaning obsolete customer data can be certifiably removed with ease. One thing is clear: today’s consumers are much savvier about how their data is being used (or misused), and the GDPR reflects that fact. Let’s start with the laws in the U.S. and how data center operators play a big role in keeping their organizations from coming under scrutiny.
Keep Up With Evolving U.S. Data-Disposal Laws
Many predicted that the GDPR would be the standard bearer when it comes to data privacy, eliciting the creation of new laws in the U.S. and around the globe. This view makes sense given the concern over how third-party data is regularly breached and misused by social-media companies such as Facebook. As mentioned previously, more than 32 states have some type of data-disposal regulations for paper and digital data, with 31 of them addressing digital data specifically (Arizona’s data-disposal law applies to paper records only). And in late June, on the heels of the Facebook/Cambridge Analytica data scandal, California passed one of the toughest and most comprehensive data-privacy laws in the country. Due to go into effect on January 1, 2020, the California Consumer Privacy Act of 2018 legislates how large companies that handle customer data and holds them accountable for the ways to manage, store and dispose of sensitive data.
Consumers regularly disclose personally identifiable information (PII), whether they know it or not. When they apply for a job or credit card, buy a car or go grocery shop, they reveal to a company information such as their address, marital status and, in some cases, even where they are (thanks to GPS tracking built into smartphones). The misuse of this data can have catastrophic effects on consumers.
According to the new California law, “the unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
For companies headquartered in Missouri, for example, but doing business in California, compliance with the strictest law could mean complying at the same level across operations. Once this law goes into effect, Californians will have more autonomy over data. In fact, part (a) of the new law says:
A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
Companies are now held accountable for the way they manage personal data. This fact is critical to heeding regulations on data disposal and data privacy, as organizations risk large fines and a tarnished brand. Customers can now request that a company delete their personal data at any time and may require proof of erasure.
Data-Asset Management After GDPR
After many years of high-profile data breaches, regulations were clearly needed to protect consumer data privacy. The EU enacted The GDPR to do just that. A complication of this law is implementing proper data-classification and related data-retention processes the GDPR “right to erasure” will necessitate.
Also, just ensuring that no sensitive personal information from European citizens is misplaced, misused or leaked in any fashion that could trigger penalties, proper data management in the data center is becoming critical. As mentioned, simply possessing personal data on European citizens subjects a company to the law, so compliance is critical and should be a priority for U.S. companies with a global customer base.
The focus on protecting private data has often focused on asset-life-cycle management—making sure no asset at the end of its life leaves your physically secure environment with data still on it, and ensuring a secure decommissioning process. Doing so requires professional processes for asset disposition. If a service provider performs these processes, you need an audit trail from that provider to gain this assurance. Most businesses have this matter well under control, but if you don’t, it’s a data-security best practice you should consider.
The GDPR, however, goes far beyond managing your assets at this level. Data protection also applies to the asset life cycle, which means you must protect your actual data life cycle. In that data life cycle, you’ll increase your IT security by deploying certified and auditable data erasure at the end of retention periods, after data migration or as part of your day-to-day hygiene in managing classified data or data under compliance.
Article 17 of the GDPR, also called the “Right to Erasure” or “Right to be Forgotten,” mandates that businesses must erase individuals’ personal information in several scenarios, including when they ask for it to be wiped. And they must do so without “undue delay,” or else face hefty penalties. Organizations must prove that compliance with this article is a top priority, producing certificates of erasure when requested by regulators.
Knowing the difference between delete, reformat, wipe and other terms versus secure erasure is important. True data sanitization (which includes data erasure, verification and a full audit trail) guarantees that sensitive data is gone forever. Data erasure should occur at many points in the data life cycle and in various situations, including customer demand, equipment end-of-life, data migration and cloud exit, among others.
Before they can ensure compliance with quickly evolving data-disposal and data-privacy laws, data center managers must identify all the assets and operations systems used by the organization. They can employ big data analytics to benefit from greater insights without putting data at risk and/or losing control of it to bad actors. Privacy is as important to your business as customer satisfaction and revenue. Building privacy best practices into every part of the business is a major step to complying with global regulations such as the GDPR and emerging U.S. laws pertaining to data disposal.
About the Author
As Blancco’s Vice President of Cloud and Data Center Erasure, Fredrik Forslund brings over 15 years of experience in IT security and previously founded SafeIT, a security-software company focusing on encryption and selective data erasure. With a keen eye for streamlining corporate IT security and maintaining compliance with data-privacy legislation, he is a thought leader among customers and partners.