Smart devices and secure data eradication: the evidence

27th July 2017

Evidence on the size of the data eradication issue in end-of-life Electrical and Electronic Equipment (EEE) from 2012 up to 2020.

The headlines
UK household ownership across 17 smart product categories will rise from 272 million devices now (10 per household) to 423 million by 2020 (15 per household).
Smart devices containing data entering the waste stream is about 40 million now rising to 81 million in 2020.
6.5% of smart devices reaching the end of life are offered for re-use and over 90% present a ‘high’ data security risk.

The issue

 

While accredited data eradication services and certified techniques are established in the B2B market offered by ITAMs, primarily for the disposal, recycling and resale of smartphones, tablets and laptops - there is limited reliable information for consumers on how to eradicate data and reassurance that their data will be handled securely after disposal, trade-in or sale.

The evidence

 

Smart devices containing data entering the waste stream will double from about 40 million now to 81 million in 2020. An estimated 2.5 million of these is offered for re-use now, rising to 4.2 million in 2020. Smart devices for re-use are on average 6.5% of the total products reaching the end of life, with over 90% of these presenting a ‘high’ data security risk. This is because they contain sensitive data on operating systems, hard drives and memory.

Smartphones are predicted as the most common item owned, accounting for about 19% of smart devices. This confirms the current and expected trend of the industry, with steady growth both in market size, as well as new opportunities to use mobile technology, such as mobile payments. Data eradication issues will therefore be critical as more people start using their smartphones for mobile commerce.

Conclusion

 

The household market for smart devices will continue to grow rapidly over the next five years. These devices will increasingly collect and store more personal information as they interact with each other. As such a wide range of stakeholders will be affected by the data eradication issue, as well as those who have not yet understood the potential implications of the subject. The research shows that throughout a product lifecycle there are different interventions, and responsibilities that various stakeholders can engage in with regards the data eradication issue.

The new GDPR has changed the regulatory landscape with significant requirements for key stakeholders to follow. If they dont, they will be clearly identified as being in direct contravention of the regulation.

Aim

The purpose of this research is to demonstrate the scale of the data eradication issue now, and in the future. Identifying threats and risks that could discourage consumers from reusing or recycling smart devices. We then discuss the issues and ways that this could be addressed through a selected range of stakeholders.

Methodology

A structured methodological approach was used and included a number of key activities:

• Literature review of published documents on data eradication in smart devices;
• Market analysis of predicted sales of data bearing smart devices;
• Modelling the future Waste Electrical and Electronic Equipment (WEEE) flow of smart devices to predict the probability and volumes of smart devices becoming waste up until 2020;
• Stakeholder engagement through an industry questionnaire and interviews; and
• Stakeholder workshop with IT asset management companies (ITAMS), Local Authorities (LAs), UK Government (Defra) and Producer Compliance Schemes (PCS).

Key findings

The work has demonstrated limited consumer awareness on how to securely wipe data from smart devices prior to disposal, trade-in and resale. Numerous studies and case studies demonstrated the ability to recover personal data from smart devices once the product has been discarded or resold. This is despite the owner taking reasonable actions to remove personal data. Other consumer issues identified include hoarding. Concerns around personal data security discouraged 35% of UK households from disposing of a product, resulting in the hoarding of EEE. Consumer awareness, attitudes and behaviour play an important part in the data eradication issue.

Other stakeholders - brands, retailers, local authorities, waste management companies, reuse organisations (including charities), producer compliance schemes, internet service providers and IT Asset Management companies are affected by the data eradication issue, and would have not yet understood the potential implications of the subject.

The new General Data Protection Regulations (GDPR) legal liabilities are critical. It imposes significant legal requirements for key stakeholders and affects any company that collects, stores and uses customer data. The GDPR became European Law on 25 May 2016. Each EU member state has two years to write the regulations into their own law. The maximum fine for non-compliance is set at 4% of an organisation’s worldwide turnover, or €20 million (whichever is higher).

Although scheduled to come into force on 25 May 2018, the uncertainty of the outcome of UK negotiations on the terms of its exit from the EU brings into question whether, or for how long, the Regulation will directly apply in the UK.

A statement by a spokesperson for the Information Commissioner's Office (ICO) on 27 Jun 2016 via outlaw.com confirmed that the data protection framework in the UK would need to accord to the standards outlined in the GDPR in the event that the Regulation does not directly apply to the UK. This has significant impact on the sector and their responsibilities.

Conclusion and opportunities

The evidence from this project shows that there are opportunities for the range of stakeholders:

Manufacturers and brands - A leadership role in building consumer trust in smart devices and secure data eradication via product design, dedicated software for secure data eradication and communication activities.

Consumers - Broadening of knowledge on data eradication issue (the why and how).

Retailers - Offer a lower financial rebate to consumers for trade-in, with peace of mind on secure data eradication. This has the potential to increase market penetration of the service.

ITAMS - Offer a consumer facing data eradication service for smart devices.

Producer compliance schemes (PCS) - Raise the awareness of data eradication issues including product hoarding, limiting disposal and consequently WEEE collection.

Household Waste Recycling Centre (HWRC) - Ensure that the appropriate data security protocols are in place with the waste contractors for data bearing devices collected from these sites. The need to increase awareness of consequences and liabilities related to smart devices being stolen from HWRC.

Local Authorities - Facilitate robust protocols and traceability of data bearing devices and treatment at HWRC and AATF.

Central Government - Extend the work on data security to end of life products.

Information Commissioner’s Office (ICO) - Extend the work on data security to end of life products.

Next steps – encouraging action

Leadership from manufacturers and retailers is considered critical to ensure smart devices at end of life are properly managed in light of data eradication risk. The research identifies manufactures and retailers of smart devices as the most powerful actors for next steps in the data eradication issue.

Manufacturers and retailers have an important role to play in building consumer trust. Brands with their influence on product design and retailers with their consumer facing angle are well positioned to take this leadership role in addressing consumer issues in data eradication.

We therefore recommend the following, to take action towards the areas of opportunity identified:

• Providing in-built functionality or software allowing eradication of data from the product – ‘secure by design’;
• Integrating communication awareness, building effort on how to safely eradicate data on smart devices prior to disposal;
• Undertaking research to understand gaps in smart device manufacturer’s protocols on data eradication (e.g. encryption in hardware and software or factory reset), and a technical assessment of their efficacy; and
• Undertaking an assessment of potential risk and compliance with GDPR regulations for key stakeholders in this sector.