The Right to be Forgotten

A big component of the GDPR regulation centres around the rights of the individual. Amongst them is the Right to Erasure, also known as the “Right to Be Forgotten”. The right itself is nothing new, but combined with the right to access, it has become altogether more powerful.

Customers can now request that their information be deleted and also request proof that this has been done. The pathway to this within the organisation is good record keeping of the kind discussed in our article Help! Am I GDPR Compliant?.

By maintaining easily readable documentation on whose information they have, what data is contained, how it is stored, how long for and why it is needed, report generation becomes easier. If there is a case for keeping the information long-term, this can be easily communicated to the individual.  

However, it is one thing to deal with procedures and policies, but how should a company handle protocols when the hardware that stores information has left the building? How do they make sure the equipment changeout does not become a security risk? The answer lies in high quality, demonstrable data erasure.

Techbuyer has been in the data wiping business for eight years. The company currently wipes over 10,000 hard drives per month as well as countless servers, server blades, networking switches, firewalls and SAN switches that contain sensitive information like names, IP and email addresses. During the time we have been operating, we have seen an evolution in demand when it comes to data erasure.

“There has been a change in public perception on the safety of recycling data storage hardware as a people become more educated,” explains Mick Payne, Group Operations and Purchasing Director at Techbuyer. “This increases the demand for a great data-wiping solution. We offer this as a service that is free of charge to all those selling to us.”

More and more organisations are waking up to the benefits of a cash return on their data storage equipment. Some recycling companies that do not specialise in IT will charge a fee to remove old equipment and dispose of it ethically. Companies that buy and refurbish IT know how to reconfigure systems in a way that will suit other customers. They pay for the equipment and carry out data wiping as part of the service.

GDPR puts the onus on companies to take responsibility for customers’ data all the way to the end of the line. This means that they have a responsibility to see that data is efficiently wiped and that hardware is demonstrably restored to factory settings before it is redeployed. For hard drives and SSDs this means running the best software for the purpose. For servers and networking, this can involve a high level of expertise.

“We test every part that comes through our doors,” says Mick, “Our requirement is to have all of our refurbished products restored to functionality that is as good as new.”

The testing process has the knock-on effect of providing a full report to the original user, which gives them peace of mind when it comes to GDPR.