Best Practices for Data Destruction
Data destruction is important for all end-of-life IT assets within an organization. The manner in which they are disposed of poses a series of risks to security as well as legal and environmental compliance. In order to mitigate these risks, it’s imperative that a Data Destruction policy engages in best practices within the industry.
Start off with choosing the right IT Asset Disposition (ITAD) provider to safely and securely dispose of your IT assets. This is essential to maintain regulatory compliance and data security while also ensuring the risk of data breaches are mitigated.
Understand your data
Before destroying or recycling redundant IT assets, you must have a solid grasp on where your data is being stored. Workplace desktop computers, CD-ROMs, USB drives, tablets, and corporate-owned smartphones all contain sensitive data, but it is also important not to neglect phones, scanners, and printers either.
Offline data storage isn’t the only place you should be looking. Cloud data storage and company data stored on employee devices should also be looked at. This is why a full inventory of data storage within the organization is crucial.
Decide on a data destruction strategy
Once you’ve narrowed down the data and/or IT assets that need to be disposed of, you should establish a robust ITAD strategy that includes considerations such as: the method of data destruction, asset recycling, or refurbishment. There are different methods of data destruction available:
Secure data destruction through degaussing or shredding;
Recycling of electronic waste;
Repurposing parts and components so that companies can resell or reuse parts;
Donating IT assets to charity (after a complete data wipe and reformatting).
Decide where data destruction takes place
Data destruction typically takes place either on-site (at your business premises) or off-site (at the ITAD provider’s premises).
On-site is preferred for companies concerned with compliance and for witnessing the data destruction themselves. This is typically carried out with mobile shredding equipment.
Off-site is ideal for processing small quantities of storage media. It involves secure transport of the IT assets to the destruction site.
Environmental / Employee health
It is imperative that all data destruction and asset disposition is conducted in such a manner as to satisfy both your company’s workplace health and safety standards as well as maintaining compliance.
Below are some common examples of regulations and initiatives in place that govern data disposal, electronic waste, and employee health and safety:
General Data Protection Regulation (GDPR)
The Waste Electrical and Electronic Equipment Directive (WEEE) in the EU
Basel Convention of 1989
WEEELABEX to reduce the amount of electronic waste in landfills
Responsible Recycling (R2) for the recycling, remarketing, or otherwise socially responsible donations of redundant IT assets
Health and Safety:
OHSAS 18001 to improve performance, aid with legal compliance, and manage health and safety risks within an organization.
Once the IT assets have been processed and all data has been thoroughly destroyed, you must confirm that all data has been removed securely. An accountability scheme must consider a data destruction certificate for all hard drives, video files of device destruction as evidence and time-stamped labelling including the date of data destruction. A complete chain of custody reporting and tracking for all assets all the way from receipt of the device to the destruction should also be included.