Meet GDPR ‘Right to Erasure’ Requirements: Erase Customer Data Permanently & Securely

Blancco Proprietary & Confidential. Do Not Copy or Distribute. Copyright © 2018 Blancco Oy Ltd. All rights reserved.
Abstract
Enterprise businesses trust ITADs to securely destroy their IT
assets to the point that data cannot be recovered. Adding an
additional level of security with software-based data erasure
guarantees that even the most challenging IT assets (like SSDs)
are completely wiped prior to destruction. Erasure also fits within
Article 17 of GDPR requirements, the ‘Right to Erasure, ’ which
requires businesses to permanently remove customer
information upon request. Learn how you can prepare your
organization to meet these requirements in this session with
Fredrik Forslund, Director of Cloud and Data Center Erasure
Solutions for Blancco Technology Group.

Meet GDPR ‘Right to Erasure’
Requirements: Erase Customer Data
Permanently & Securely
Fredrik Forslund, VP Enterprise & Cloud Erasure Solutions, Blancco

1995

1995
24/10/1995
Directive 95/46/EC is adopted
The European Data Protection Directive
(Directive 95/46/EC) on the protection of
individuals with regard to the processing of
personal data and on the free movement
of such data is adopted.

1997

2018
25/05/2018:
“In the UK, it is echoed by
an almost identical Data
Protection Bill”
The General Data Protection
Regulation will apply from
this day
Did you know?
Appointment of a Data Protection Officer
Some organisations, for instance those
whose core activities involve regular and
systematic monitoring of personal or
sensitive data on a large scale as well as
public sector organisations, will have to
appoint a Data Protection Officer to ensure
they comply with the GDPR.

A big change in how Customers think
about Data Management
Active
E-o-L
Information Lifecycle
Management
Acquire
Plan
Dispose
Deploy
Manage
Asset Lifecycle
Management
Historically Currently
8

Hence:
Data Sanitization is on the Hype Cycle
9
***Reference: http://www.gartner.com/document/3371735
Gartner Hype Cycle for Security
Data Sanitization
Physical
Destruction
Cryptographic
Erasure
Data
Erasure

SSD Erasure
10
SSD Challenges
• Freeze Locks
• Wear Leveling
• Data Compression
• Unreliable Firmware Commands
• Corrupted Blocks
• Secure-Erase
Blancco Patented Solution
1. Freeze lock Removal
2. Proprietary Erasure Sequence
i. Combines SW overwrite and
FW commands
3. Erasure Validation
i. Identifies malfunctions and
preformed processes

Consequences are Steep
Based on several factors:
Whether the infringement was intentional or
negligent
Whether the controller or processor took any
steps to mitigate the damage
Technical and organizational measures that
had been implemented by the controller or
processor
Prior infringements by the controller or
processor
The degree of cooperation with the regulator
The types of personal data involved
The way the regulator found out about the
infringement
The greater of
€20 million or 4%
of global annual
turnover
11

From Desktop and Device into the
Data Center
• Data migration
• Customer Exit- Cloud Exit
• VM life cycles
• Repurposing system storage
• Temporary data
• Data retention policies
Erase Data from an operational
environment
• Data Center decommissioning
• Tech refresh
• End of lease
• Return test systems
• Break fix (RMA)
Erase entire systems or servers
on drive level

Expand Your Managed Services Onsite
13
Cryptographic
Erasure
Data
Erasure
Physical
Destruction
Data
Erasure

Example Use Case
14
Requirement
Secure data erasure for customer exit
Regulatory need to remove customer details using a certified solution
Customer details on SMB shares, local & hosted email & paper
How
Discovery using standard MS Windows tools
Blancco File Eraser erases mailboxes & files, “freespace” tool
Secure report generated for every erasure performed
Timeline
Sales cycle approx. 2 weeks. Execution of project 2 days on site.

Mitigate Risks Posed by Dark Data
According to Veritas
Global Databerg
Report, 85% of
Stored Data Is Either
Dark or Redundant,
Obsolete, or Trivial
(ROT)

What are the Negatives Associated
with Hoarding Data?
16
• Cost
• Compliance
• Increased attack surface
• Readiness to respond to customer request

Calculate Your Customers’
Cost Savings
17
Cost of Cloud Storage Vs. Data Erasure
350

Data Retention!

‘The Right to be Forgotten’
• Data subject will have the right to
obtain from the controller the
erasure of personal data concerning
him or her
• The controller shall have the
obligation to erase personal data
without undue delay
• The controller shall take reasonable
steps, including technical measures,
to inform controllers of any links to, or
copy or replication of, of the data
subject’s personal data
Article 17 of the new regulation
focuses on the right to erasure.
20

‘The Right to be Forgotten’ – Real Life
21
Some Basic Statistics
Average Organization
89 GDPR Requests/Month
23 Databases
5 min per Database per Request
89 GDPR Requests/Month (172
hours) = 1 FTE
Large Enterprises
246 GDPR Requests/Month
43 Databases
7 min per Database per Request
246 x 43 x 7 = 75,500 Min/Month
(1,259 hours) = 7.5 FTE

‘The Right to be Forgotten’ –
Implementation Example
22

Challenge! Provide Customers
with a Certificate or Proof of Erasure

Framework to meet ”Right to Erasure"
24
The Solution Should if Possible:
Provide An
Audit Trail:
Must store and provide an
auditable report.
Be
Scalable:
Must be able to manage
vast amounts of
customer/consumer data
across the entire lifecycle.
Achieve Data
Sanitization:
In order to comply with the
EU GDPR and Right to Erasure,
data will have to be erased
across the entire lifecycle.

Already a Billion Dollar Industry
25
• Legal advisers
• Consultants
• Hiring of DPOs globally
• How can you make this into an opportunity for you?
– Enterprise- create efficient process and gain consumer trust
and confidence. Have no data leaks!
– ITADs or other service providers- go on-site, help with
additional use cases and pain points.

Examples from a large Global
TELCO RFP published in end of January
26
• Provide a report of the legal requirements (legal compliance risks)
in the 15 operating offices across EU
• Perform Gap Assessment and Identify each gap across all
operations and highlight the consequences of noncompliance in
each instance and a suggested corrective action plan
• Map all personal data across the organization, including the data
owners, current storage and processing practices
• Provide draft policies on data protection, classification and
retention for the use in the organization
• Investigation and advice on potential historic or current data
breaches

Continued
27
• Provide a short monthly update report to the Chief Finance
Officer, HR Director, Technical Director and Chief Executive
of progress made and key concerns arising during project
• Guidance to write the Consent for (Employees, Customers, Adults,
Children, Website, etc.)
• Review the third party’s contracts (Processors) to be compliant
with the GDPR
• Perform risk management and risk treatment plan –
Data Protection Impact Assessment

Continued
28
• Create Incident Management Policy complied with the GDPR
• Develop Data Retention and Destruction Policy
• Network topology – a high level view of the environment.
• Data Classification or Data Impact Assessment report/output

Fredrik Forslund
VP Enterprise & Cloud Erasure Solutions
fredrik.forslund@blancco.com
Thank You!

Meet GDPR ‘Right to Erasure’ Requirements: Erase Customer Data Permanently & Securely

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Meet GDPR ‘Right to Erasure’ Requirements: Erase Customer Data Permanently & Securely

Similar to Meet GDPR ‘Right to Erasure’ Requirements: Erase Customer Data Permanently & Securely (20)

More from Blancco

More from Blancco (9)

Recently uploaded

Recently uploaded (20)

Meet GDPR ‘Right to Erasure’ Requirements: Erase Customer Data Permanently & Securely

Editor's Notes