INTERVIEW | Fredrik Forslund: The importance of data erasure for enterprises today

What’s the difference between data deletion and erasure?

A thesaurus may tell you that deletion and erasure are the same, but knowing the difference is vital for businesses that want to stay on the right side of GDPR regulation. Deletion simply frees up hard drive space to be used again, but the data isn’t overwritten—this is what happens when we drag a file from our desktop to the Recycling Bin.

However, data erasure, or sanitisation, is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. It’s not only desktop PCs, laptops and servers that may need to be sanitised—mobile devices, wearables, medical devices and infotainment systems may also store sensitive data.

We’ve been shocked at how many who should know better do not know the difference: When asked, a worrying 56% of senior data centre staff believed that a quick reformat was all that was needed to permanently erase all data.

We also revealed other concerns through our own investigation. We found that one in every twenty hard drives for sale on eBay, despite claiming that proper data sanitisation methods had been performed, held sensitive, personally identifiable information. The worst example was that of a drive purchased from a software developer with “a high level of government security clearance”. It contained scans of family passports and birth certificates, CVs, financial record and university student papers and associated email addresses.

How do you know if data has been erased?

A common way that businesses deal with this issue is through destruction, many believe that in order to know if data has been erased, they have to destroy the equipment. Large mechanical shredders can take hard drives, laptops and smartphones and rip them apart, destroying the data along with the device. This is wasteful and expensive.

We’re also seeing businesses adopt degaussing, essentially using a powerful magnet to remove data from magnetic media.

This works with tape and hard disk drives but does nothing to flash drives and increasingly common solid-state drives (SSD). It’s crucial to have the data erased by specialist software or hardware, that can process both magnetic storage media as well as SSD drives to sanitize the data and make it unrecoverable.

Whatever solution is used, it’s important that it meets relevant data privacy regulations and produces a digitally signed certificate of proof of erasure. That way, an audit trail is provided.

What effect has regulation had on how businesses approach this issue?

Data used to simply be an asset—but now it’s also a liability. The act of holding it carries risk for organisations today. The General Data Protection Regulation (GDPR) has redefined the way organisations with a foothold in Europe must manage data, and anyone who was blasé about these rules should start paying attention. The honeymoon period is certainly over, with BA and Marriott being fined almost £300m in recent months.

And the EU isn’t alone. The California Consumer Privacy Act (CCPA) is designed to protect the privacy rights of Californian consumers, while Brazil and Thailand have passed laws that are similar to GDPR, due to come into force in 2020.

These regulations have had a paralysing effect on organisations that store data onsite. Faced with faulty or obsolete drives and other IT equipment, they’re simply letting hardware pile up, rather than risk returning it to the manufacturer and breaking the rules—a problem which can be solved with proper data processes.

Why isn’t erasure a core procedure for all enterprises?

There is an awareness around the demands of GDPR, but a lack of knowledge around best practice.

Organisations know what they need to do, but they don’t know how to achieve it. Enterprises, data centres and even mobile operators are in need of education, and this problem is compounded by being buried by other priorities.

Businesses are often focused, understandably, on ensuring business continuity.

Establishing well-planned projects to look at data issues—and to understand why useless hardware is piling up—tends to move down the priority list. Plus, there is often a disconnect within the organisation and it’s already challenging to educate the operational team on compliance tasks, when there are many other priorities happening across the business...

It’s best practice to bring these teams together more closely.

By making this a shared task with the operations and compliance teams, organisations will create a deeper understanding of the importance of data security. Over time, the operational team can become data stewards.

Do you have any tips on how organisations can streamline and optimise data erasure?

The first step for any organisation is to truly understand the data in their possession—the reality is that most do not. It’s vital to regularly review what exists in order to make key decisions about the data that truly holds value to the business, and what is a liability with no real value. The latter can – and should – be erased.

The Global Databerg report found that that only 15% of the average company’s data is considered business critical. Of the rest, 33% is redundant, obsolete or trivial, and 52% is unclassified and holds no value.

Clearly, there is a huge amount of data in company’s possession that can be erased so getting the house in order and fully understanding what’s in an organisation’s possession, should be the first step.

Why should data sanitisation be on the board room agenda?

It is estimated that the average cost of data breaches will reach more than $2.1 trillion globally by 2020.

Regulators aren’t going to become more lenient over time—if anything, they’re likely to get tougher as businesses fail to protect their customers. And with fines as high as 4% of revenue, a data blunder could spell the difference between profit and loss.

Data is often described as the new oil: the most valuable commodity an organisation, enterprise, mobile operator or brand can own. But crude oil straight out of the ground isn’t useful—refined oil is. And data sanitation is one way to refine that oil as clean as possible. It’s a crucial process, which will help protect businesses.

Regulation, compliance, breaches and fines all make this a boardroom consideration. Without making this a priority, businesses are running huge risks that could overshadow every good decision they make.