A critical pillar of your data protection strategy, an IT chain of custody ensures that you meet two of the biggest data governance challenges that your organisation faces… to protect company data at all costs and to remain compliant with the General Data Protection Regulation.
Defining the fundamental rights of EU citizens in the digital age and the legal obligations of any business processing their data, the EU and UK GDPR remains the strictest data privacy legislation in the world. Yet despite such strong regulations, the latest annual statistics show that cybersecurity incidents in 2021 resulted in 5.1 billion breached records. *
2021 figures show an 11% increase in security incidents compared to 2020.
IT Governance.
Although these figures are already alarming, they are likely to be far greater. Often companies are unaware of the full extent of the breach, nor are they required to publicise all details.
To reduce the level of risk as our data continues to soar, UK enterprises spend millions when it comes to building robust cybersecurity defences. However, one of the most probable causes of a data breach is frequently overlooked – the data stored within our technology.
Back in 2019, international data security experts, Blancco, published disconcerting findings from their survey into corporate end-of-life IT practices. The results highlight key security processes that were not being actioned by a significant percentage of organisations.
Almost 40% said they used free software rather than secure data wiping services. 20% did not audit the steps taken to document the destruction process and over a third didn’t record serial numbers. Over 50% of respondents also admitted that devices were left sitting for a minimum of 2 weeks before data erasure took place. ^
Whilst it is highly important to maintain a secure IT chain of custody throughout the entire lifecycle, once our data-rich devices become end-of-life IT assets, it is quite simply essential. Due to the short lifespans and frequent upgrade cycles of our business tech, our redundant IT equipment remains a common source of destructive, costly data breaches. The good news, however, is that it is also one of the simplest to mitigate.
What is an ITAD chain of custody?
A standardised, chronological paper trail, an IT chain of custody is an accurate record of an asset throughout its entire lifecycle, cataloguing the exact location of each device and which employees have access to it. It should document any user transfer or if it is moved to an alternative location. In today’s, remote and hybrid working culture, asset tagging and tracking are more important than ever. If there is sensitive data on an asset, you need to know where it is to guarantee data security. Therefore, this extends through to asset disposition – but what should be included in an ITAD chain of custody?
Whether it’s a USB stick or a server rack, any business asset which may contain sensitive information or personal data records should be listed. You will need to state how the data has been collated, handled, managed, stored, shared and also disposed of to guarantee your data protection compliance. For today’s digitally-led brands, this applies to a vast range of files, both electronic and physical, including those stored on external servers or in the cloud. Under GDPR, this now also applies to information shared with third parties.
Why do businesses need a secure IT chain of custody?
As you might expect, a secure IT chain of custody will substantially reduce cybersecurity risks. But importantly, its accurate documentation provides superior evidence that you have followed the key data governance principles and the correct GDPR destruction of data procedures – essential proof should the conduct an audit. In addition to the ICO, when trusting you with their data, your customers will expect you to have assessed the key challenges of data governance and applied appropriate data protection systems.
Without a secure IT and ITAD chain of custody in place, your network’s integrity is at considerable risk. It is impossible to ensure the validity or proficiency of your security measures as you will not be able to tell if your systems have been compromised. The consequences can cripple an organisation financially, whilst shattering its reputation and pathway to success.
However, it is end-of-life IT assets, which present the greatest hazard. One of the most recent, high-profile examples of a vast breach, occurred as the ITAD chain of custody had been disregarded.
Morgan Stanley was ordered to pay $60 million during a highly publicised lawsuit, following a breach involving 15 million unencrypted customer records. It caused huge reputational damage. The global financial institution is reported to have lost track of 42 servers, some appearing on an auction site. + During their data centre decommissioning project, they failed to outsource ITAD to professional data destruction services. Over a period of 5 years, Morgan Stanley omitted to follow the correct ITAD chain of custody practices.
The ITAD chain of custody and your GDPR compliance.
Whether business assets are to be reused, resold, or as a last resort, recycled, it is vital to maintain the chain of custody throughout disposition. Also governed by the same strict data privacy laws, IT asset disposal services will prevent internal ITAD mistakes, and guarantee that your organisation meets the GDPR data destruction requirements.
Your ITAD supplier should provide an IT asset disposal accreditation certificate for each and every asset, helping you avoid potentially devastating fines and protecting your hard-earned reputation. The right environmentally friendly ITAD partner could enhance your position as an ethical business, reducing e-waste through remanufacturing or should you choose to sell redundant IT assets. If you plan to remarket your device, the certification is essential to verify professional erasure has taken place as the buyer would be responsible under GDPR.
Collection & transportation.
Leading data erasure services will ensure your redundant IT equipment is fully tracked, asset tagged and documented with an auditable paper trail for each scanned serial number. Highly experienced, DBS-checked, technicians follow the strictest protocols to minimise any risk through every stage of the process. On-site data erasure is available for big data ITAD, alternatively, devices can be transported in GPS-tracked fleets to a state-of-the-art security-monitored facility.
Asset recovery.
If any value remains, either for the complete device or through its individual components, the residual value is returned to your business. Any part of the devices that cannot be recycled is sent to the appropriate channels in the UK and properly disposed of, maintaining the chain of custody.
Documentation & reporting.
In addition to the individual IT asset disposal accreditation certification, your ITAD supplier will deliver a comprehensive ITAD chain of custody report. This details how your disposition was securely handled by highly trained technicians, the specific ITAD best practice techniques and advanced erasure software employed, such as the industry-leading, Blancco. The industry accreditations and international standards held will demonstrate the authority and credibility of your chosen ITAD partner.
Verifying your data protection throughout the entire lifecycle, a full IT and ITAD chain of custody is a comprehensive record of on and off-site asset inventories, along with the secure IT asset disposal procedures implemented. Poor asset disposition practices present the highest risk, so it is vital that this continues when the device is no longer of use to your organisation.
Evidence-based procedures within your data protection or IT asset disposal policy, should be implicitly followed. Fully traceable documentation will significantly reduce the possibility of extortionate financial losses, legal consequences or the reputational damage that a security incident can bring. An ITAD chain of custody will ensure your utmost compliance, protect your sensitive data and your organisation.
*IT Governance, ^ERI direct, +BitRaser,
tier1 Group provide comprehensive lifecycle asset management, environmentally friendly ITAD and recommerce services helping you to maintain a secure IT chain of custody; guaranteeing your GDPR compliance.
We operate to international standards, and we are proud to be the most accredited independent ITAD service in the UK. Our trusted, reliable service is always tailored to the needs of your business.
To find out more about our data erasure support services, contact us on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com
Resources.
BitRaser, Consilium, Shred Onsite, IT Governance, DunedinIT, Ricoh, EB Control, IT Asset Management, Seam Services, Lifespan Technology, ERI Direct, Tech Crunch, ZDNet,