Evaluating Data Destruction and Data Protection Compliance

As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Risk Assessment. Business Concept on Blurred Background. Office Folder with Inscription Risk Assessment on Working Desktop. Risk Assessment - Concept. 3D.

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

  1. Do we have a contract in place with our current downstream data disposition providers?
    a. Does this contract include breach notification requirements?
    b. Does this contract include definitions of data protection service levels and data destruction deliverables?
  2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
    a. If so, how do we control what vendor is liable if a breach occurs? 
  3. Have we formally vetted our downstream data disposition providers?
    a. Have we evaluated and vetted third party certification(s) that our provider holds?
    b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
    c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
  4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance. If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program’s success effectively.

Data security and data protection compliance is a moving target. Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.