Why is Data Sanitization a Must-Have for Your Organization?
Article
Why is Data Sanitization a Must-Have for Your Organization?
October 2nd, 2023
In this tech-dominated environment generating an ever-increasing amount of information, organizations must properly address data from its creation to its destruction.
Although often forgotten, this last step is crucial in achieving data security and avoid the enterprises’ worst nightmare: a data breach! This article will explain what data sanitization is, how and when it should be performed and the associated good practices that must be implemented.
What is data sanitization?
Firstly, what is the definition of data sanitization and its potential implications? According to the International Data Sanitization Consortium (IDSC), it is “deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.” A twofold approach must be adopted: data sanitization should be considered throughout the asset lifecycle management and the information lifecycle management processes. To summarize, both the device and the data it contains must be addressed to achieve complete data sanitization.
Be careful though! It is a common mistake to think that the data is removed from a device whilst in fact some parts of the data can easily be recovered. This can result in data misuse, data losses, and/or data hacking, which can have serious consequences for data subjects and the liable company or organization.
What are the appropriate methods?
A case-by-case analysis should be performed considering the information confidentiality and the media type to determine the appropriate method(s) to achieve data sanitization. In that respect, the National Institute of Standards and Technology (NIST)’s Guidelines for Media Sanitization provides a decision flowchart as well as specific requirements to help organizations properly sanitize different types of media or devices. Three categories of sanitization have been identified by the NIST, but different aspects must be examined to select the most suitable one:
When should data sanitization be performed?
Several situations may necessitate data sanitization:
- during employee onboarding or departures;
- on customer demand;
- when equipment reaches the end of its lifespan;
- in the context of data migration and cloud management or exit;
- when data reaches the end of its lifespan or at the end of the retention period.
What are good practices that your organization should implement?
Several key practices can help pave the way for effective data sanitization. Firstly, it is important to organize this process efficiently in your organization: plan it from the start, have a standardized procedure and apply it to all data storage devices across the entire lifecycle of data. Secondly, special consideration should be given to the verification stage – not only after each sanitization action, but also on a representative sample of the stored sanitized medium kept for future use. Finally, all the operations carried out must be properly documented with full audit trails and supported by a certificate. With that in place, the company will be able to ensure the safe deletion of data.
The Bottom Line
Proper data sanitization procedures are a must-have for all organizations. This is necessary to comply with current data protection legislations, including Article 17 of the GDPR that gives data subjects the right to erasure. The reputation of the organization is at stake because, without a thorough framework in place, it is open to attacks and compliance failures. To top it off, the correct destruction of stored data will reduce IT costs as well as the risks of data breaches!
Marilyn Cloquette
