Should you Destroy Your Data on or off Site?
While there is no law yet stating if data should be destroyed on or off site, there are many legal requirements that need to be followed when keeping and destroying data.
There are two main requirements under the Data Protection Act that are relevant here:
- Data must not be kept longer than deemed necessary. For example; your company business accounts should be kept for six years plus the current year you are in, then destroyed.
- Current or obsolete data must be kept securely and appropriate measures put in place to stop unauthorised access.
So what happens when your data’ or where it’s stored becomes redundant? Compliance is the key here! Electronic data must be securely wiped or destroyed. Employing an accredited third party company that can certify the destruction is the best practice to adopt. Plus, they are qualified and insured for this type of work keeping you compliant with the law.
Your obligations, however, don’t stop at just employing a third party company. It is your obligation to make sure the company you are using is properly accredited and insured for this type of work.
So this leads us to the title of this topic…… should you destroy data on or off site? Well, as stated, there is no law yet stating one way or another. Offsite destruction is always cheaper as it takes less man hours and as long as you use the correct company, there will be no problems. Onsite, although being more expensive, means you can physically watch it being done. It doesn’t have to leave your premises which, for some with highly sensitive data, is generally a company policy but, also brings peace of mind.
The only other thing you have to consider is if you have this done software based or physical destruction. Software destruction is much better for the environment as the drive can be reused. Physical destruction albeit, less environmentally beneficial, means that your data is 100% destroyed.
There is one final very important thing to note. Data breaches regardless if live or redundant, can carry fines of up to £500,000. This fine will soon be replaced by the new General Data Protection Regulation (GDPR) which carries fines of up to 20 million Euros or 4% of the total annual company/group turnover, whichever is the most.