Are you unknowingly breaking the law?
With the introduction of General Data Protection Regulation in 2018 organisations became legally required to ensure the personal data they held or were processing was secure. This is defined in Article 5(1) (f) of the Act. These regulations and requirements apply to all organisations processing personal data, regardless of turnover, number of employees or sector.
In 2020 we carried out an investigation into the GDPR compliance within the recycling and second hand equipment market. What we discovered horrified us and showed the results found in other similar official studies were just the tip of the iceberg.
We purchased 534 devices listed to be faulty or for parts only from well known auction and second hand goods sites. Our purchases intentionally contained devices from a broad base to cover our recovery service platforms, mechanical hard drives – desktop and laptop, SSD sata and NVME, USB memory sticks, compact flash, SD cards and microSD cards.
Our sellers were deliberately a mix of private individuals, larger private sales such as car boot and auction enthusiasts, small independent computer retailers and what were obviously large scale equipment recyclers. We placed a restriction on our recovery technician that no spare parts were to be used in the recovery attempts, even though all of these devices were reportedly faulty. Only the devices themselves could be worked on.
81% of the devices contained recoverable data.
Data we recovered
Financial
Corporate accounts, Local Authority Reports, Personal accounts, Tax returns, Pension Details, Bank Statements, Mortgage Details, Loan Applications, Credit Checks, Credit Card Details and Online login information and passwords.
Identity
Medical Records, Passports, Driving Licences, Birth, Marriage and Death Certificates, Divorce Papers, Property deeds, Utility Bills and Education Certificates.
Personal
Wedding, Baby, Holiday and Party pictures and videos. Online Identities, User Information and Passwords. Curriculum Vitae’s, Job Applications, Employment History, and Family genealogy.
This information not only poses a risk of financial fraud but complete identity theft, or cloning of the data subject. Genuine, accurate personal data and supporting documents have enormous value to organised criminal gangs, an increasing problem.
For us the concern was the amount of data we recovered from professionally serviced devices. Our results showed this was not the occasional drive slipping past quality control, there was no quality control. Devices were being resold without any measures to remove personal data. Data subjects had been assured personal data would be securely destroyed after upgrading or recycling their old equipment, it hadn’t and was putting them at risk without their knowledge.
All data recovered has been now been securely destroyed. Where applicable we have contacted the sellers to inform them of our findings and data concerns.
Don’t put yourself or your organisation at risk. We offer free electronic data erasure and destruction services for up to 3 devices and the added security of physical destruction service at minimal costs.