GDPR and Drives

[mrccocking]

Hi all

I can't see anything regarding this so I thought I would ask,

When I am doing a maintenance callout for say a PC with a corrupt OS I would normally remove the drive from the affected PC and install a replacement drive install Windows etc and then take the drive I took out away and keep it for a few weeks before secure wiping and reusing, normally there is no user data on the PC as they store data on the server
what do others do with this, GDPR does say we shouldn't be taking drives away but we do it to ensure the data can be restored if something is stored in an obscure place on the PC.

Thanks
Chris

 

[Markverhyden]

Are your customers signing off on a form approving the removal, etc?

 

[Kitten Kong]

You need to have your clients signature on your booking in sheet. Detailing the works, and how long it will be secured for.

No sig, no keeping the drive.

 

[mrccocking]

Are your customers signing off on a form approving the removal, etc?

they sign off our callout report, the drive removal is stated on there

 

[Markverhyden]

they sign off our callout report, the drive removal is stated on there

You're ok up to a point then. All of this security stuff requires documentation of what's happened/happening. So you need to add a "inventory disposition" document. The record arrival then each step along the way. Something like serial number and model, followed by arrival and storage information, then updated with nuke date time and type, such as triple pass random or what ever standard used. Like we have NIST over here so one might use NIST Standard SP800-88r1. And then what you do with it after the nuke. Like put into used equipment storage for backup purposes, etc.

 

[frase]

Look at the Technibble Business Documents available, a great resource for your business.
I have it and use it for clients and get them to sign/date and give them a copy and I keep one on file.

Systems are kept for 30 days - if not picked up and follow up contact has been made goes to E-Waste, I am not a storage facility.
Hard Drives are kept for Two Weeks after Retrieval, if no contact from client they are destroyed.

All of this and other elements are clearly stated in the TOS and also following up in contacting customer to verify before disposal.

 

[mrccocking]

thanks for all the advice everyone, i will look to get some new form made up and get that added into my workflow asap