The potential of data lies in the ability to transform unclassified information into actionable insights driving efficiency, value, and innovation across all business sectors. Organizations that leverage data are able to serve their clients, stakeholders, and customers more efficiently and unleash opportunities to stay ahead of the competitors.
Despite its advantages, data brings along equal if not more challenges. The biggest challenge is to manage data without violating the obligations set forth by the regulatory frameworks like EU-GDPR, HIPAA, PCI-DSS, etc., that emphasize responsible data handling from the collection stage to the stage of disposal. It is important to note that most data protection laws, like EU-GDPR, PIPEDA, POPIA, PDPL, etc., mandate lawful, limited, and justified processing of data, along with granting the right to get their personal information deleted, erased, or destroyed.
The businesses that fail to comply with data protection laws have to pay hefty fines, struggle with operational downtime, lose customers, and face reputational damage. Does this mean that businesses must avoid collecting customer data at all?
Businesses accumulate data to operate in an uninterrupted manner, improve their products & services, and identify the needs of their customers. However, many a time, they unintentionally hoard unclassified information, which creates data security issues and violates the data protection principles of the governing laws. Storing excessive data beyond the retention period not only increases cybersecurity risks and total operational costs but also has high energy consumption, depleting non-renewable energy resources and adding to environmental challenges.
The customers are not against an organization utilizing their data, but what they expect of a business is to not jeopardize the privacy of sensitive information. According to the 2023 Consumer Sentiment Report by Veritas Technologies, 47% of consumers said that they would not buy from a business that intentionally causes environmental damage due to storing unnecessary or unwanted data. So, data is essential for businesses to make informed decisions; however, it must be managed responsibly. Unauthorized, unnecessary, excessive, Redundant, Obsolete, Trivial (ROT) data, or data that violates data protection principles can pose risks and must be erased with proof of data destruction.
Understanding South Africa’s Protection of Personal Information Act (POPIA)
The constitution of the Republic of South Africa, via Section 14, grants everyone the right to privacy. This right includes protection of data from unlawful collection, use, retention, and dissemination of personal data. The data protection law of the country, the Protection of Personal Information Act (POPIA), recognizes the significance of this right and aims to regulate the processing of personal data while protecting it. An organization failing to fulfill the conditions of data protection or protect the rights of persons, such as performing erasure or de-identification of the requested information, is an infringer of the Act. The Magistrate’s Court jurisdiction can impose an administrative fine of at most R10 million. The infringers may also be imprisoned for anywhere between 12 months and 10 years.
Organizations must realize the significance of the role of data erasure in maintaining data protection to avoid penalties.
How Can Businesses Comply with Data Protection Laws and Yet Stay Ahead?
A proactive approach to managing data that includes data collection, handling, storage, and disposal must be adopted by businesses. Organizations must craft clear data management and destruction policies with guidelines on data classification, security controls, data retention, and safeguards for putting data to rest when it has served its purpose. The policy should also mention methods of data destruction based on different device types as per NIST 800-88 Rev 1 guidelines for media sanitization.
Here is how businesses can stay ahead and comply with data protection regulations while avoiding vulnerabilities:
- Securely Erase Data: An individual’s Personal Identifiable Information (PII) includes name, email ID, contact number, etc., along with financial details, which, if compromised, can hamper their privacy. Destroying data ensures this sensitive information is out of reach of malicious attackers. Software overwriting tools like BitRaser usually perform Secure Erase (SE) or Cryptographic Erase (CE) to erase data from modern drives like SSDs, after which even forensic data recovery tools fail to retrieve data.
- Regular Audits: Regular audits can help businesses identify ROT data, which, when properly disposed of, reduces the risks of data breaches. POPIA requires public & private organizations to handle the journey of personal data from collection to destruction in a lawful & reasonable manner. By erasing this information permanently after the purpose has been fulfilled, consent has been revoked, the retention period has gotten over, and/or the organization no longer has the authorization to process this information, organizations achieve compliance with this act. BitRaser Data Eraser wipes data from servers, smartphones, laptops, Mac devices, etc., and automatically produces detailed erasure reports and certificates of destruction. These documents help in audit and serve as proof for verification of complete erasure.
- Conduct Employee Trainings: Further, training employees to understand data protection laws and the importance of secure data management helps build a cybersecure environment in the workplace. Employees must be made aware of the classification of data into public, internal, confidential, and sensitive data from the initial stages to ensure adherence to data protection principles. Additionally, staying updated on the changing regulatory frameworks helps in gaining the trust of their customers, stakeholders, and partners.
- Promote Reuse & Save Carbon Emissions: Data erasure or software overwriting saves the devices from getting damaged and enables device reuse and repurposing, along with reducing carbon emissions generated in the manufacture of new devices and associated energy consumption. Methods of physically destroying the storage devices, such as shredding, degaussing, burning, incineration, or disintegration, not only damage the device but may also leave chances of recovering the data. Organizations must choose data erasure over device destruction.
- Contribute to Circular Economy: The Global E-waste Monitor Report 2024 projects e-waste generation to be 82 billion kg in 2030. As per WasteAid, 360,000 tonnes of e-waste are generated annually in South Africa. Giving IT assets new life by erasing data from them fulfills the ideology of a circular economy by prolonging their lifespans. This prevents the generation of more e-waste and enables consistent use and reuse of the same devices without endangering the safety and privacy of confidential data.
Conclusion
Organizations need to recognize that they are not only responsible for preventing data breaches but also for safeguarding personal data of customers at all times. Data erasure upon a person’s request or due to the data having served its purpose or exceeded its retention period is a preventive, necessary, and mandatory form of data protection that organizations better pay heed to sooner.