Last reviewed 3 January 2020

When computers and other devices are replaced, the data they contain must be erased. However, often sensitive information can remain. How should all small business owners manage data destruction? Dave Howell reports

The data that all businesses now collect manipulate and store is a precious commodity. Having a robust and comprehensive policy when data must or needs to be deleted is critical. Post-GDPR, the right to be forgotten is vital to uphold. And as more data is now moving to cloud services and onto increasing numbers of mobile devices, data sanitisation is a core component of all business processes.

Says Enza Lannopollo, Senior Analyst, Security and Risk, Forrester: “When it comes to data deletion, it's really a different world today. I like to say that GDPR reminded everyone that data is not only an amazing asset for organizations of any size, but it is also a liability. Until now, firms have operated under the assumptions that data volume was the most important thing: they would collect and store as much as possible. Deleting data was really not an option.

Lannopollo concluded: “Firms must shift their mindset about data deletion. Ultimately, only data that is covered by a specific purpose and that it is actionable, or somehow useful, is worth keeping. This is not to say that data volume is not important today. The contrary is still true. However, companies must develop a risk-based approach in their data management decisions. Refusing to delete data means increasing considerably risks of fines, breaches, customers' and employees' complaints, and increasing costs related to managing that data. Firms must measure the benefits of storing data endlessly against all these risks.”

Customer privacy is now a key differentiator in all marketplaces. Trust has to be protected, as consumers share what can be highly sensitive information with businesses. Ensuring this data is safe and secure is one component of good data policy, but robust and comprehensive data destruction must also be at the core of these policies.

Safe and secure

To gain an insight into how data destruction policies should be created and then implemented, Croner-i: Small Business Essentials spoke with Simon Evans, CTO at Amido – a cloud integration consultancy and began by asking: Do we have any idea of the quantities of sensitive data on discarded digital devices?

Evans responded: “No; but in the last five years alone internet users have increased by more than 82% and, Gartner [] anticipates that data volume is set to grow 800% by 2022, with 80% of it residing as unstructured data.”

What are the critical components for a robust data destruction policy?

“Even as a cloud-native and multi-cloud approaches to services becomes the new norm, having a data sanitisation policy is paramount as data is still stored on servers. Also, the format in which the data is saved is essential, as proprietary formats can change, thereby leaving data in a useless state. Choosing the right format is important. The same consideration must be made for media storage types.

“The three key pillars to a robust data policy are: Data deletion, data retention and data archiving. Knowing how long you must keep the data as a business and abide legislation is important. Categorising and encryption will ensure data security as well as knowing what data to retain and delete (monitoring and maintenance). Adding a layer of analytics inclusive of ML (Machine Learning) will enable data mapping of structured/unstructured data to help with fast and efficient data taxonomy, inclusive of file types and data location - which is essential to access control (authorisation) of the data.

“This is important in data lake scenarios, where access to sensitive data stored within the lake needs to be managed (usually for internal staff). Levels of access such as PAM (privileged access management) and separation of duties are vital so that only the employees with the appropriate level of access can get to sensitive data in the lake.

“A data lake is the source of data for Machine Learning which is encrypted. However, you will still have certain staff who have access to the data, and this must be managed through IDAM (Identity Access Management) and the use of PAM (privileged access management). Access control as provided by an IDAM solution and anonymisation of data. You don't anonymise the source data in a lake though, that's why you need to provide the appropriate access control through identity.

“Data Deletion has three possible scenarios: Degaussing, overwrite, or complete physical destruction.

“Businesses need to consider all three to be sure of complete sanitisation, especially in the world of the cloud. Overwriting may not get the job done but, fielding off data to a certain server for it to be degaussed (magnetised) is an excellent option. Finally, because technology is ever evolving, overwriting or degaussing may not also get the job done because of the product used. This is why complete physical destruction is also necessary.

“Degaussing can offer an alternative; this method uses a powerful magnetic field that neutralises the "orientation" of the magnetised particles that make up the writeable surface of storage media. This method is typically used for erasing in bulk when media will be reused and must be free of retrievable data.”

Are small businesses, in particular, guilty of a low-level of data sanitisation?

“Since the cloud, there is less likely a chance of small businesses leaving sensitive data on laptops or USBs. Also, remote wipe functionality is extremely useful in these scenarios. However, businesses of all levels must protect and include a data policy owing to GDPR as well as other legislation pertaining to specific industry sectors. Also, the format in which the data is saved is important as proprietary formats can change, thereby rendering data in a useless state, so choosing the right format is important. The same consideration must be made for media storage types.”

Has GDPR highlighted the need for more comprehensive data management processes, which include data destruction?

“Yes. GDPR is a hot topic and, will continue to be for the foreseeable future. But there are still a lot of businesses that are grappling with the new data privacy regulations. In my view, there are two major camps in the B2B space that companies fall into regarding data privacy regulations — businesses that put their customers at their centre of the universe, and ones that do not.

“If you do, then chances are you've always treated privacy and consent with the kind of respect that end-users would expect. The other kind of business doesn’t put the customer first and treats GDPR as a legal loop they have to jump through. Their data privacy emails purely exist as legal cover that unfortunately misses the spirit of GDPR, which is all about trying to ensure that the customers are in control of how their data is used.

“The first camp has probably already embraced a lot of what GDPR is about – before it even existed. However, there are customers we work within the second camp who want to embrace the spirit of GDPR and deal with consent constructively.

“It's important to understand the purpose of collecting customer data before you start receiving it. As for the customer, they need to understand the value proposition of giving up their personal data. And they need to make their own decision as to whether or not they are willing to provide it to get its benefit, which could be more personalised product recommendations (that some customers want while others do not).

But as long as the value proposition is made clear to the customer – why that information is being collected and for what purpose – and they’re able to consent their way out of it if they choose to, then it’s a useful service for the customer.

With more digital devices able to store more data (much of it personally sensitive information) what does the future look like for data sanitisation?

“It will be critical for enterprises to build a usable data lake in their organisation as they continuously deploy cloud services – so data sanitisation and policies around it have never been more crucial.

“To handle this, adding in an intelligent set of discoverable, metadata-tagged data from all systems, devices and services to extract value from the terabytes of structured and unstructured data generated each day will enable them to run analytics, business intelligence, ML and AI, and gain vital insights into new efficiencies to gain a competitive edge, be compliant and ensure data security, retention and sanitisation.

“Compared to a traditional data warehouse approach, a fundamental principle of data lake architecture is to provide a place to land all the raw data without transformation or loss, so that any transformations on the data can be replayed at will. The challenge with this approach in an enterprise is maintaining a level of control over the landing of the data so that the volume and veracity don't become overwhelming or turn into a data swamp.

“By utilising Lambda architecture, businesses get the benefit from being able to use streaming data to report in near real-time, offering almost immediate visibility of important events; a significant step-change from the traditional data warehouse approach where you'd have to wait 24 hours. Companies then need to apply a pragmatic approach to making sense of the data such as storage taxonomy, curating data workloads through classification, for example, data security and who has access to it (IdAM) as well as data science tooling to help data scientists create/apply good equations to the data lake to improve future analysis.”

Data policy

According to, 68% of businesses have failed to wipe the data from IT equipment they have disposed of following GDPR. This news is perhaps less surprising given the research also found that 70% of businesses do not have a formal process or protocol for disposing of obsolete IT equipment.

What's more, 66% of workers admit they wouldn't even know who to approach in their company to correctly dispose of old or unusable equipment. Worryingly, according to the data, transportation businesses – many of which will have customer and client addresses and contact information on their systems – are the most-guilty of this with 72% of these types of businesses have been guilty of this in the months following GDPR.

Businesses within sales and marketing (62%) - many of whom will also have access to public data – were the second most guilty of this.

The protection of sensitive data will always be a top priority for all businesses, no matter their size. However, destroying data when this is needed, is also a core competence every enterprise should have a clearly defined policy. As regulation will continue to tighten, and consumer tolerance for data breaches reducing, if your business does not have a formal data destruction policy, now is the time to act.