It was alleged that the moving company that Morgan Stanley used to dispose of the hard drives and servers had no experience in data destruction, and later sold on the devices which contained unencrypted customer personal data. The encryption software had allegedly not been activated.
UK organisations must comply with the security principle in Art 5(1)(f) UK GDPR by putting in place appropriate technical and organisational security measures to protect personal data from unauthorised or unlawful processing, accidental loss, destruction or damage. This obligation extends to the disposal of personal data. We have set out our 5 top tips for ensuring personal data processed by your organisation is destroyed and disposed of safely:
- Put a plan in place – it is important to consider from the outset of a project how long the personal data will need to be retained for, and how it will be destroyed securely at the end of the retention period. We recommend putting in place a Document Retention and Destruction Policy to document your decisions.
- Training – secure destruction of personal data should be the responsibility of all employees. Implement training to explain to staff how personal data should be stored and destroyed and monitor compliance with procedures.
- Check your suppliers – when working with a new supplier, make sure your contract contains detailed provisions around the destruction of personal data. Ensure your IT team thoroughly reviews the security arrangements of your suppliers.
- Deleting digital information and backups – remember when deleting information from computers and other electronic devices, there may be back up storage which means the personal data is retained even after you think you’ve deleted it. Consider putting in place secure deletion software and seek specialist IT advice if required.
- Don’t forget paper documents! Shredding is a quick and effective way to destroy paper documents, either by buying your own shredders, or using a reputable shredding company.