EU GDPR and "e-waste" - Website Regulatory Compliance forum at WebmasterWorld - WebmasterWorld

Forum Moderators: webwork

Message Too Old, No Replies

EU GDPR and "e-waste"

Travis

10:48 am on Apr 22, 2018 (gmt 0)

Top Contributors Of The Month

The EU GDPR is about collecting, storing, and using personal data. But as a side effect, it also concerns the after life of these data. Let's say you throw your computer, and on the hard disk you have files or archives including personal data, then you are at fault, if these data are retrieved by someone else. Same for all kind of documents, electronic or not which is being throw away.

So, you have to destroy the data first. Which in all events is a good practice for anything.

For example, for a hard disk, you should always wipe the surface (even for SSD) with a dedicated software. The wiping is done by rewriting multiple time the whole disk with random data, making the recovering impossible.
(when you delete a file, the system just mark the clusters as available, but the data are still physically present on the disk, until something overwrites it).

This is also to be done, when with your server / hosting plan. Before leaving , you need to delete the data, AND wipe your disk space. The probability is extremely low, but the next person who will get your server next, can retrieve data. When I change server, I always run a file recovery program by curiosity, and each time, I can see mysql databases, with all kind of data ! So wipe your servers / hosting space, before you leave. If someone retrieves the data you collected, you are liable.

RhinoFish

2:43 pm on Apr 22, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Future archaeologists will find a way to restore wiped data, as they study our lives... haha.

not2easy

4:42 pm on Apr 22, 2018 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

The same applies to copiers but I've never seen a privacy policy for a publicly used copier such as at Libraries or copy shops. :(

Shaddows

11:38 am on Apr 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Self-Encrypting Drives mitigate against, if not prevent, e-waste data loss.

HDD manufacturers(PDF) [seagate.com] are messaging about SED and GDPR, worth a read even with several teaspoons of salt.

Travis

3:06 pm on Apr 23, 2018 (gmt 0)

Top Contributors Of The Month

Interesting. Also, it shows there is a whole business developing around GDPR. The GDPR is new constraints, but new opportunities (and new opportunities to be screwed too, because there will always be people trying to abuse others and surfing on the buzz). In few years, it would be interesting to see how it changed the World (or not).

engine

3:23 pm on Apr 23, 2018 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

I don't recall ever letting a hard drive, or a floppy disk, leave my office in any condition that would permit restoration of anything. If the drives cannot be recycled into another machine, certainly, the disk itself is physically destroyed. If it's a faulty disk you cannot easily wipe the content so destruction is my favoured route.
In any case, some of the oldest ones have inadequate space to be redeployed.
I've not yet had an SSD fail.
I have wiped usb drives to bring them back to a clean state, however, the type and volume of data on there has been limited.

Shaddows

3:37 pm on Apr 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

@engine

The problem is generally in medium-sized companies where there is a gap between policy and implementation. Or indeed non-technical small companies where no-one thinks of these things.

How many bottom-rung techies are responsible for physically swapping drives, in NAS, PCs or Servers. Management may have a destruction policy, but how many have the processes to back that up? Destruction certs, for example.

Big companies, and certain niches (finance, legal) will have proper processes. But an extremely large percentage of drives will be deployed in SMEs, without proper control.

Travis

6:46 pm on Apr 23, 2018 (gmt 0)

Top Contributors Of The Month

Yes, the problem is not with those who are aware, but with all the others. That is why the GDPR is trying to sensitize EVERYBODY to the important of personal data, there collection, storage, usage, etc... The GDPR has also an educative purpose.