Data destruction: Top Ten Tips for avoiding fines and reputational risk

'Out with the old and in with the new' may seem simple enough, but when disposing of old IT equipment, organisations and businesses need to be very careful to avoid facing hefty fines. In April 2013, the Information Commissioner's Office (ICO) will detail it plans for data protection practices of the private sector, with particular attention to SMEs. Companies risk massive fines, reputations and even their business if they ignore the guidelines on secure storage and disposal of confidential information. In order to secure your business and comply with ICO regulations, Simon Brailsford of Advanced Digital Dynamics Ltd offers these necessary steps to avoid any costly mistakes:

• Brush up on the difference between onsite and offsite destruction. Offsite methods increase the risk of losing data before it can be destroyed, whereas onsite methods enable you to stay close to the process and minimise risk.
• Beware of "free recycling" services. Reputable service providers will recycle redundant equipment or sell it on for re-use, and any value realised can be offset against the costs of data destruction and disposal. With an unconditionally free service it is difficult to prove your duty care and due diligence.
• Put someone senior in overall charge of the process, who can bring together relevant departments and allocate responsibilities, and who understands the consequences of poor security procedures.
• Run regular staff training for key people on information security procedures. If necessary bring in specialists to advise.
• Be mindful of data classifications. Aggregation and accumulation of data often occurs at the disposal stage where assets of all types are merged together, and it is then impossible to distinguish between lower and higher risk types of data.
• Ensure you accurately itemise and identify all equipment marked for removal and its data bearing status; this should be agreed at the point of sign-over and transfer. Maintain detailed records so that, if required, you can provide full end to end traceability.
• Be vigilant about where any redundant equipment is stored before proper disposal. Stacking PCs in a corridor potentially leaves your accountability in tatters so ensure that access is secure and controlled.
• Don't be tempted to accelerate the process by removing hard disks before the specialists take over, as these must be tied up with serial numbers on the originating asset to fulfil traceability requirements.
• Be extremely diligent when checking third party credentials and ensure that you are confident about their systems and their personnel. Remember you are still liable for their actions.
• Have robust service agreements in place and carry out regular audits; this will demonstrate that you have carried out your due diligence.