Best Practices for Data Destruction

Data destruction is a vital process within the IT lifecycle. How companies dispose of – or recycle – their data and IT assets is an area fraught with security, legal and environmental issues. To mitigate against these risks, it is important to follow best industry practices.

Choosing the correct company to dispose of your IT assets is a vital step in the process. This is because it is your legal responsibility – and not the data destruction company you hire – that will be held liable if a data breach occurs.

  1. Understand your data

Before your data and IT assets are destroyed, you must be aware of where your data is. While PCs, CDs, USB sticks, tablets and company smartphones are an obvious location, data also sits on desktop phones, scanners, and printers.

Furthermore, if your company allows employees to receive company email on their personal devices such as their smartphones, you are responsible for this data too. Therefore, a full inventory of where data sits in your organisation is vital.

  1. Decide on a data destruction strategy

Once an IT asset disposition (ITAD) program has been established and lists the data and/or assets to be destroyed, you should decide on strategy, namely: data destruction or asset recycling.

  • Data destruction
    • This involves data erasure and degaussing services
    • The destruction of classified materials
  • Asset Recycling
    • The repurposing of used IT parts in order for companies resell / reuse parts as ‘new’ equivalents
    • Donation of IT assets to charity
  1. Decide where data destruction takes place

Typically, data can be destroyed in two places, either on or off-site.

  • On-site
    • On-site data destruction is preferable for companies with compliance concerns, and involves mobile shredding equipment
  • Off-site
    • Secure shipment for small media quantities / boxed materials for off-site destruction
  1. Environmental / Worker health

All data and asset disposition must be destroyed in a way which satisfies both your company’s standards and that of your jurisdiction, such as governmental and other agencies.

The following are examples of regulations and initiatives governing electronic waste, data and worker health.

  • Data:
    • GDPR
  • Electronic waste:
    • The EU WEEE directive
    • Basel Convention
    • WEEELABEX
    • The reduction of waste going to landfill
    • The reuse, remarketing or socially responsible donation of redundant/obsolete assets
    • R2 (Responsible Recycling) standard
    • ISO 9001, ISO 14001

Furthermore, the health and safety of workers must be of paramount importance and be in line with OHSAS 18001 which improves performance, aids legal compliance and controls health and safety risks.

  1. Full accountability
    When your data has been destroyed, it must be ensured that all data has been removed from the devices. Such accountability should include:
  • Certificate of erasure of data for each hard drive
  • Evidential video file of device destruction for each hard drive
  • Date and time-stamped of the destruction process
  • Full chain of custody tracking and reporting of all redundant/obsolete assets from our receipt to final disposition

For more information about Wisetek data destruction services, see: https://wisetek.net/services/data-destruction/

October 22nd, 2018|Blog|
CONTACT