You probably have sick day policies and vacation policies. Work-from-home policies. Policies that address poor performance, social media use and harassment in the workplace. They’re hardly glamorous, but each of these policies is essential because each one serves a unique purpose in protecting your business. A company that doesn’t have a data destruction policy has a major hole in its data security. Creating this kind of policy, and enforcing it, could be the simple step that prevents a devastating data breach.
Who Needs a Data Destruction Policy?
For a company that processes financial data, or provides medical care, it’s obvious why a data destruction policy is critical. If you have access to a lot of sensitive data and are a high-risk target for hackers, of course it’s important to carefully manage how that data is destroyed.
But today, every company handles sensitive data about its financials, its employees and its clients. All of it is vulnerable while it’s in your control. Your responsibility to protect that data doesn’t end when you’re done with it. It only ends when you know for sure that the data is destroyed.
In short—every company needs a data destruction policy. The policy also needs to be current and enforced. Everyone in the organization should be well aware of such a policy and what it entails. So if you’re not sure whether your company has a data destruction policy, that’s a good indication that it’s time for an upgrade, whether that means updating the existing policy or creating one from scratch. There’s no good reason to not have a data destruction policy, especially because it doesn’t have to be a complicated document.
Data Destruction Policy Checklist
A comprehensive data destruction policy doesn’t have to follow a set structure, so don’t worry too much about getting the template or phrasing just right. Some of the things your data destruction policy should address include:
- Purpose. This is often the first section of a data destruction policy. It’s simply an opportunity for you to clearly state the intention of the policy.
- Scope. Who is subject to the policy? If you have remote workers and/or multiple locations, does it apply to all of them? What kind of devices are covered by the policy? These are the questions to answer in this section, so there’s no confusion later about who has to comply.
- Record retention. When you’re laying out the guidelines about how to destroy certain types of data, it’s useful to clarify the when too. Summarize anything employees need to know about record retention timelines, including how long different types of records should be kept and who to contact with questions.
- Physical media disposal. This section of the policy should clarify best practices for getting rid of things like paper files, ID badges and payment cards. Specifically, are there locked containers where employees should place these items? What shredding company will be responsible for destroying these items? Should the shredding company be alerted to pick up physical media, or do you have routine scheduled pickups? Does someone from your organization have to witness the destruction and document it somehow?
- Electronic media disposal. Like with the physical media section, this part of your policy should spell out the ways that people in your organization should dispose of things like hard drives, flash drives, CDs, printers/fax machines and other data-storing devices. Again, clarify how these surplus items should be stored prior to destruction and best practices for destruction. There are a few ways for electronic media to be destroyed (learn more about common options like degaussing with magnets and overwriting with new data before adding them to your policy), but shredding is the best way to make sure this data is permanently destroyed.
- Remote worker policies. If any of your employees work from home at least sometimes, your data destruction policy should address how remote workers are expected to manage company data. Should they bring physical and electronic media into the office for proper disposal?
Compliance may also come into play here. If your business is subject to any industry regulations or federal/state laws around data destruction, your acknowledgement of those rules, and intention to comply, should be stated in your data destruction policy.
Next Steps After Creating a Data Destruction Policy
A data destruction policy only works if everyone in the organization understands it and adheres to it. Nine out of 10 employees could be diligent about disposing of files in a locked bin, but if the tenth tosses their files in a recycling bin, your company is vulnerable to a breach. So once your policy is completed or updated, the next thing to do is train employees on it. Send it in a company-wide email, include it in the company handbook and make sure that all new hires are coached on the policy.
Has data destruction been too lax in your business? Northeast Data Destruction can help you streamline and secure your data destruction process, including assessing your workplace’s needs and dropping off locked collection containers. Contact us today.