Implemented by the European Union in 2018, GDPR is internationally recognised as the strongest privacy and security law in the world. It replaced the outdated principles of the 1995 Data Protection Directive and outlines several fundamental rights of a ‘subject’ (an identifiable person who is having their information processed).
While the rights of the subject include the right to give and retract consent to the processing and handling of their data, the right to easily access that data, and the right to data portability (from one service provider to another, for example), it is the right to ‘be forgotten’ through erasure that can be all-too-easily overlooked by organisations.
For many, that oversight occurs when storage devices such as hard drives and obsolete computers are no longer in use, so are left to gather dust in a vacant room. The problem is that those devices might still contain client or employee information, and should have been destroyed at the end of their pre-defined retention period or when requested by the subject.
If you, as an organisation, cannot prove that you have undertaken the necessary and appropriate steps to destroy a subject’s data, you could face reputational damage, legal difficulties, and a fine of up to 20 million euros or 4% of your international turnover from the previous year - depending on which amount is higher.
In this landscape of heightened data sensitivity and accountability, a Certificate of Data Destruction - specifically regarding computer equipment and paper documents - is not just a formality but a shield against potential legal, reputational and financial challenges. It is a testimony to your good business practices and can demonstrate to the Information Commissioner’s Office (responsible for enforcing GDPR in the UK) that you are compliant with all of your obligations.
In this blog post, we will define what exactly me mean by a Destruction of Data Certificate, explore the various formats that are relevant to the certificate, and highlight the organisations authorised to issue the documentation.
What is a Certificate of Data Destruction?
A Certificate of Data Destruction is a formal document that proves data has been successfully and comprehensively destroyed. If, for example, you have a collection of old hard drives that contain obsolete client information, you might entrust the wiping and destruction to IT equipment disposal specialists. Once finished, you will be issued with the certificate, proving that you have taken appropriate steps to dispose of the data in a manner that is both secure and confidential. This certificate can then be showed to GDPR compliance personnel wherever required, proving that you are fulfilling your responsibility to avoid data mishandling.
Who can issue a Certificate of Data Destruction?
A Certificate of Data Destruction is issued by specialist data disposal experts such as ourselves. We recognise that your organisation has a significant responsibility in the form of GDPR. It is, therefore, vital that you receive sufficient documentation that evidences your disposal efforts. If, for example, have several boxes of obsolete files (that have exceeded their pre-defined retention period), you might entrust them to us for shredding. Our disposal service utilises state-of-the-art equipment to prevent any data recovery. Once this process has concluded, we will issue with the relevant Certificate of Data Destruction.
Why is it important to get a Certificate of Data Destruction?
Each year, approximately 5.5 million adults in the UK experience identity fraud, including 44% of that number who have their bank accounts accessed. While many of those people never find out where the scammers got their information from, if the blame lies at your door, you could experience significant reputational damage and a substantial financial penalty to accompany it.
A Certificate of Data Destruction, therefore, provides you with proof - should it ever be required - that you took all of the necessary steps to safeguard the personal information belonging to your clients, employees, and anyone else whose data could fall into unauthorised hands.
What forms of data are covered by a Certificate of Data Destruction?
The confirmation document can accompany the destruction of any piece of technology that has stored an individual’s information on it - whether it is easily accessible today or not. That might include hard drives, old laptops, desktops, CD-ROMs, floppy disks, USB sticks, mobile phones, pinters, scanners, and even fax machines. A Certificate of Data Destruction is also issued when you shred physical documents such as medical files, accounting records, legal information, and other forms of paperwork in which a GDPR ‘subject’s’ personal details are contained.
What information is included on a Certificate of Data Destruction
Because the certificate’s purpose is to both reassure the client and ensure traceability, it contains several key pieces of information including the date, the type of data destroyed, the method of its destruction, and the name and company details of whichever organisation carried out the destruction.
The certificate might also include unique identifiers or serial numbers associated with the media being destroyed, providing a means of precise identification and tracking. This helps in maintaining a clear record of which specific data storage devices or documents underwent which destruction process.
Furthermore, authorised signatures from individuals within the organisation responsible for the destruction and, if applicable, witnesses or third-party verifiers, add an extra layer of credibility to the certificate. These signatures confirm the accuracy and legitimacy of the information presented, establishing a robust chain of responsibility evidenced in the issued paperwork.
An alternative to data destruction
According to GDPR law, data must be disposed of when you no longer have a justifiable reason for keeping it. That can be achieved through destruction (such as shredding or burning), but it can also include transferral to another authorised entity or an archive. While you might feel tempted to shut the door on your obsolete files and forget about them, archiving rules are strict, requiring you to put several measures into place to ensure that data is properly safeguarded. If you would prefer to place your data into long-term, secure and affordable storage, but aren’t sure of the steps necessary to do so, we can help.
Conclusion
A Certificate of Data Destruction is a document confirming that you have taken appropriate steps to dispose of data wherever necessary. In a world where GDPR rules are strict and can be financially damaging if they are broken, the certificate protects your organisation and can tangibly demonstrate your commitment to responsible data management. If you would like to know more about responsible, third-party data destruction, speak to our specialist team today.