Not enough companies understand how to properly delete the data they hold – and need to address this if they are to comply with new data protection rules, privacy and security experts have said.
Under incoming UK and European regulations, firms will be required to completely remove all the data they hold on an individual if that person requests it. They'll also be asked to prove they've properly wiped their records.
This goes further than existing "right to be forgotten" rules, and there are concerns that organisations are unaware of – and unprepared for – the complexities of the new laws.
"I'm astounded by how little is known and understood about data sanitisation," said Richard Stiennon, chief strategy officer of the Blancco Technology Group.
Stiennon is acting director of the International Data Sanitization Consortium (IDSC), which was launched this week in a bid to raise awareness.
Data sanitisation is defined as the deliberate, permanent and irreversible destruction or removal of data. The concern is that many companies might think simply restoring factory settings or wiping a chunk of data would do the trick.
That, said Stiennon, would leave companies vulnerable to hackers and data breaches – as well as compliance issues – which is "both disappointing and alarming".
One way to achieve total data erasure would be to smash up your hard drive, but this isn't the most practical or environmentally friendly option.
The other two best practices, according to the IDSC, are cryptographic erasure, using encryption software with an algorithm of a minimum 128 bits on the entire data storage device and then erasing the key used to decrypt the data, or data erasure, where data is securely overwritten across all sectors of the device.
Part of the problem, Stiennon said, is the confusing array of terminology, and the consortium plans to establish a common set of definitions to help tackle this. It also plans to set best practice guidance and ensure policymakers, as well as companies, use this.
Stiennon also emphasised the need for regulators to better understand the technical aspects of what is being asked of companies.
Deleting the data is hard – finding it might be harder
There is a related, and more fundamental, problem facing companies – the need to know where the data is in the first place, which is also required by the EU's General Data Protection Regulation.
As Trevor Hughes, CEO of the International Association of Privacy Professionals, points out, most companies' databases have not been built in a way that offers them a comprehensive, clear view of the data they hold.
"They are likely to have hundreds, if not thousands, of datasets collated from various services, countries, branches or regions, and no single view of an individual," Hughes told The Reg. "Erasing that data is the big challenge, because you can't just hit delete."
One option, he said, would be for organisations to create a new database infrastructure that would allow them to do this – not to mention prove it to the regulators – but that comes with huge costs.
"The spend associated with that has been estimated at between 10x and 100x the costs spent on compliance functions," Hughes said. Firms spending $1m on compliance could be facing bills of $10m or more for IT infrastructure changes.
But making such changes still isn't enough when it comes to the law.
Sebastian Vollmer, director of data study groups at The Alan Turing Institute in London, said that improving the way data is collected and stored will benefit companies, too, as "clean, accurate data is much more informative and can have a much bigger impact than a dirty, huge dataset".
However, there is still a lot of work to be done to increase awareness about data cleaning, and Vollmer said that well-documented case studies – rather than simply abstract guidelines – would be a good way to do this.
He added that he hoped the consortium would push for an open-source solution that people could use to ensure they were compliant, while avoiding "compliance-as-a-service".
Meanwhile, Stiennon has a long list of ideas he'd like the IDSC to tackle in the longer term, including addressing the increasing amount of data collected by the automotive industry, especially how rental services should delete that information.
He'd also like to see the consortium pushing for an official standard for data sanitisation.
"The first step is to create a third-party orchestrated standard, overseen by independent committees, and make it available for people to use," he said. Then the aim would be for this to be adopted by an official body, something he imagines would take a minimum of three years. ®