Light Dark
April 14, 2021 By Sue Poremba 4 min read
Data Protection

It’s just part of the job: at some point in a device’s lifecycle, data must be destroyed. While deleting files may mean users and apps can’t access them, simple deletion isn’t enough to truly destroy the data. To be most effective, secure data destruction has to be complete. This is especially true when your organization needs to stay compliant with changing local and global data privacy regulations.

What is Data Destruction? It Isn’t Always Common Sense

ZDNet reported 59% of hard drives sold used or refurbished on online marketplaces contained data from the previous owner, including data that had been ‘deleted’ and easily recovered. In some cases, the drive had been reformatted but data was still recoverable.

“The drives contained a wide array of data, from including employment and payroll records, family and holiday photos (along with intimate photos and sexualized content), business documents, visa applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements and lists of students attending senior high schools,” the article reports.

This level of data recovery on retired or re-instituted electronic equipment is never acceptable. However, it is even less so in enterprise settings. This is especially true now that a growing list of data privacy regulations dictates the way organizations approach data storage, transmission, sharing and destruction. You need to know where all your data lives so nothing lingers for a potential breach. In addition, you should conduct an audit to ensure that data is not lingering on third-party systems when it is time for data destruction.

Knowing Your Data

Before you destroy your data, you need to know your data. Where are all of the possible places it lives? In addition, you need to know which pieces of data are the most sensitive for both the organization and customers.

With data privacy laws, consumers have more control over their personal data than organizations do. They get to decide if they want to be forgotten or how they want their data used. You have to be able to oblige. The right to be forgotten is now part of the data destruction process, making it vital that the cybersecurity team knows everywhere data is stored. Don’t forget paper files, virtual formats or individual devices and drives.

Conducting a data audit will provide a clear picture of where your data is and how it is used. You are also responsible for any third party using your data, so the audit can help identify how spread out your information is.

Have a Data Destruction Policy in Place

Even as you destroy data, you are still responsible for protecting it from compromise or theft. Bringing hardware to the end of its lifecycle is just as important as onboarding devices. It requires careful planning and a clear process.

That process begins with any typical data compliance. Some regulations have restrictions on how long you can store data, so your data destruction may need to take place at regular intervals. This can include determination on whether just data is being eliminated or if the hardware is also at end of life.

Create a budget for end-of-life data and hardware. There are tools and software to assist with permanent data deletion and hardware destruction. This is not an area to try to save a few bucks; if the data is recoverable and breached, you will pay the penalty.

Have a team in charge of determining end-of-life for both data and hardware. Additionally, make it clear to employees what the process is. If employees are using personal devices to access company data that is going to be destroyed, their devices will have to be scrubbed. They can’t just hit ‘delete’ and consider it done.

Staying Compliant

Once you know where all sensitive data is and your destruction processes are in place, the next step is to make sure you are following any data privacy compliance laws for your industry and location.

The European Union’s General Data Protection Regulation (GDPR), for example, classifies data destruction as a method of data processing and requires organizations to follow certain steps before destroying anything. Owners of the data have the ultimate say over their data, even when it comes to destruction. Additionally, data on end-of-life devices must be completely erased and not just deleted. Destroy hardware in such a way that it can no longer be used (i.e., magnetic strips removed or devices physically destroyed or shredded).

Most — but not all — states have laws surrounding destruction of data.

According to the National Conference of State Legislatures, “at least 35 states, D.C. and Puerto Rico have enacted laws that require either private or governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or indecipherable.”

Also, the Federal Trade Commission requires any business or individual that uses a consumer report for business purposes must dispose of that data under strict guidelines. Paper records, for instance, must be burned, pulverized or shredded, while electronic files must be erased or destroyed so the consumer data can’t be read nor reconstructed.

Also, industry compliance regulations have their own sets of instructions for how data should be destroyed.

Failure to follow the correct procedures can result in a data breach, which results in financial consequences for the company and puts consumers at risk for identity theft and fraud.

Tools for Data Destruction

If you can afford the equipment, it is safer to keep the destruction process within the company. There are also companies that will outsource data and hardware destruction, but this adds risk of a data breach. You can acquire shredders to destroy hardware, or physically destroy a device with an old-fashioned hammer. Degaussing wipes clean magnetic strips, and degausser machines can be purchased for in-house use.

Data privacy regulations have put heightened attention on consumer information and how it is used — and how it is destroyed. Recognizing that destruction is simply part of the data protection process should keep the data secure through the entire lifecycle and keep your organization compliant.

 

Clients are responsible for ensuring their own compliance with various laws and regulations. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

 |  |  | 
Sue Poremba

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature