May this year saw the first anniversary of the introduction of the GDPR. The Information Commissioner’s Office has now made its first school audits available for public viewing and its comments show that while schools are generally doing all right with the GDPR so far, more will need to be done as the restrictions tighten over the next couple of years.
Reported data breaches are up by 15% across the board since the GDPR’s introduction. The GDPR requires all organisations to report any breaches within 72 hours of discovery, which could be why reports have increased so drastically, but there’s no question that data safety is becoming an ever-pressing issue in today’s society.
Schools house masses of sensitive data, and must therefore have robust, thorough processes in place for data security and destruction to ensure the safety of their students and staff. All items held by schools, including children’s reports, staff personnel files and attendance records, must be disposed of after a specified period in as safe a manner as possible. Simply deleting files, or even smashing computer hard drives, will still leave sensitive data exposed to malicious actors.
To remain fully GDPR-compliant when disposing of old IT equipment, it’s highly advised that schools follow a three-step data destruction process:
1. Wipe disks
This is an effective first step towards removing sensitive data from old IT equipment intended for reuse. Deleting data from a disk will render it largely inaccessible to users, but the data itself will remain on the disk until it’s eventually overwritten by new data. Secure deletion applications can be helpful here (Eraser on Windows, Permanent Eraser on Mac), but it’s advisable to subject highly sensitive information to more rigorous destruction techniques.
2. Degauss
The process of deguassing involves passing a powerful magnetic field over the disk of the hard drive to scramble the data contained within it, denying would-be cyber criminals any means of accessing the files once held on the drive. Every trace of data will be eradicated, including the manufacturer’s servo control data that a hard drive needs in order to function. As a result, hard drives that have been degaussed cannot be reused.
3. Hard drive shredding
The final step of ensuring that data can never be recovered from old IT equipment is to physically shred disks and hard drives. If a degaussing process isn’t completed successfully, partial traces of data can be left behind, but shredding items to 2mm particles will effectively render both the item itself and the data wholly unrecoverable.
A fully compliant data destruction provider should be able to issue a certificate of destruction you can file alongside your data protection records, to prove that the information has been destroyed in full compliance with the GDPR – it will also be useful to produce this during your next ICO audit.
Glen Belfield is the director of Bioteknik – a Canterbury-based IT disposal and data destruction specialist.