Despite GDPR regulations coming into force over a year ago, trying to make sure you are continuously being 100% GDPR compliant can seem like an overwhelming, never-ending challenge. The easiest way to do this is to break it down and go through each factor of GDPR to ensure you are getting each one right. One of the most important aspects of GDPR is destroying data, so how can schools ensure they are compliant when it comes to data destruction?
The confusion about how to destroy data in a GDPR-compliant manner is felt by many SBMs. One SBM recently took to Twitter to ask a question that is likely to resonate with many other SBMs; @stephaniesbm tweeted: ‘’#sbltwitter how do you manage shredding now under GDPR? I understand we have to log the number of each file, who approved disposal, etc. If archive boxes are sent to store labelled when to shred, the site manager usually removes at time of shredding.’
@Taylor007J replied and explained how their school destroys data. ‘We’ve just invested in getting all the archive scanned so now it’s all electronic and accessible. I’ve added DESTROY dates to each folder name for quick reference. All original docs were confidentially shredded by scanning company.”
@Schoolburs also replied, but their school uses a slightly different method. ‘Ours are offsite in storage and destroyed, year-by-year, by the company.”
However, recent updates made by the Centre for the Protection of National Infrastructure (CPNI) raise a number of questions over the effectiveness of third-party document shredding services. Therefore, although both SBMs suggest using an external company to shred the documents, it is important that you know about the official changes in the destruction of sensitive data so that you can ensure you are being GDPR-complaint throughout the whole process of destroying data; in brief, your data is safest if you destroy it yourself and the best way to ensure complete destruction is to use a shredder which cuts thin strips. Read the article for full information on this topic.
Only complete destruction will do
The key to being GDPR-compliant is ensuring that data can be completely destroyed if requested. Toolbox explains this further. ‘As part of respecting the rights of data owners, companies must also provide them with the option to wipe or delete any information in full. This is designated as the ‘right to be forgotten’ or the ‘right to erasure’. As soon as a request comes in, it’s essential that all relevant stored data – both physical and electronic – is eliminated, and further collection is halted. Ignoring such requests won’t just damage customer and business relations — it can result in hefty fines, too.”
In a school environment, information that needs to be destroyed at the end of its life cycle can include:
- budgeting information;
- any personal details about staff and pupils;
To ensure data destruction is GDPR-compliant Toolbox suggests taking these three steps:
Step 1: Implement the appropriate controls allowing data owners full rights and permissions over their affected content. Organisations must provide users with an option to delete all personal data. It absolutely must be a practical option that stems the flow of new content, and eliminates the old, as soon as possible.
Step 2: Organisations are also obligated to ensure old data or content is securely erased. Just deleting it via the operating system or server is not enough. In fact, reformatting old drives and magnetic media — including hard drives or audio tapes — is no guarantee, either. Deleted data can often be recovered provided the physical media is available.
Step 3: It’s important to properly dispose of the hardware involved, too — not just the digital forms of content. One must employ permanent erasure solutions, such as degaussing, which involves the application of magnetic tape to render devices unreadable or unusable. Physical media may also be shredded, crushed, or incinerated to ensure full compliance.
GDPR may at first feel like a mind-boggling headache, but breaking it down into manageable chunks should allow you to understand it better which, hopefully, will result in you getting it right.
Don’t forget to follow us on Twitter, like us on Facebook, or connect with us on LinkedIn!