Organisations often focus efforts on protecting increasing volumes of data, but sometimes it is more sensible to have an effective data decommissioning strategy – if you no longer store it you no longer need to worry about protecting it.
But for data-decommissioning to be effective it needs to be implemented in accordance with certain guidelines and secure data destruction and sanitisation procedures. For example, there are legal considerations as well as technical considerations an organisation needs to check prior to destroying data. Some of these are:
The legally prescribed minimum lifetime for data according to sector and contractual obligations – especially pertinent in the health and financial services sector.
The evidential value of some historic data which may come into question in some cases if legal disputes arise between a service organisation and its clients – the insurance industry is a good example of that. This is usually an evaluation based on business risk assessment and less dependent on any formal legal requirements.
On the technical front, careful procedures need to be followed to ensure any sensitive data is properly destroyed and its storage media sanitised prior to repurposing the storage media again, relinquishing the recovered storage space to other applications or even disposing or selling off the equipment.
And finally conducting testing and assurance activities to obtain a level of confidence that the decommissioned data is irrecoverable.
Ultimately it is important for every organisation that stores large amounts of data to have a mature data-governance strategy and the necessary technical and administrative means which underpin the efficacy of that strategy.
We invite our readers to continue exploring this conversation further on the article presented on the CyberSecurityHub by clicking the button below.