Best Practices for Data Destruction
In secure data handling, it is better to be safe than sorry. Data has become a highly coveted commodity, aggressively pursued by malicious actors. Enhanced privacy laws have also become more demanding, recommending severe penalties for improper data handling. Both for-profit and nonprofit organizations must have a clear strategy for data security. Data destruction is a key component in such a strategy. You must observe some best practices that ensure your data destruction is effective.
Set a Data Storage Period
How long should you hold customer data? The longer you store data, the more it is exposed to risks. You must have a set period for destroying data that is no longer useful. Some data privacy laws like the General Data Protection Regulation (GDPR) require you to observe this practice. Your customer privacy agreement must show this to avoid any misunderstanding.
If a third party is handling data, there must be a clear agreement on the duration that the third party can hold the data after it is obsolete. They must also have a proven process that erases data securely from all storage devices, as well as cloud backup.
Have a Clear Chain of Custody for Obsolete Data
Who handles data when it becomes no longer useful? This data includes that which is held in end-of-life equipment. A shorter chain of custody is more secure because it reduces points of exposure. Ideally, hand over end-of-life equipment to a data destruction service like SPW data destruction services before repurposing, recycling, or donating it. A clear chain of custody helps to trace the custodian at a specific time, which helps build an audit trail.
Erase Data on Every Device with a Storage Capacity
Today, there are many devices with storage capacity. Computers, tablets, smartphones, external drives, flash drives, optical drives, printers, and even cameras hold data. Malicious actors can retrieve the data on these devices using different forensic techniques. You should hand over these devices to data erasure services when they become obsolete or redundant. For example, hard drives in computers meant for donation must have certifiable data erasure before redeployment to a different division within the organisation, or donation to charity.
Implement a Data Destruction Process
Secure data destruction ensures that data on storage media is unreadable and irretrievable, to deny unauthorized access. The method of data destruction used must correspond with the disposal method of the storage media.
Overwriting involves encrypting data with jumbled characters to make it indecipherable. It is alternatively known as data erasure. This data destruction method does not destroy the storage media. You use it on equipment you intend to repurpose or recycle the equipment.
Professionals such as SPW data destruction services use the US Department of Defense’s recommended three-pass overwrite for low security data. They use seven-pass overwrite for highly sensitive data like Personally Identifiable Information (PII) like names and ID numbers.
All magnetic storage media should undergo degaussing. This method disarranged the magnetic fields in the storage media, destroying the data. But it also destroys the storage media such that it is inoperable forever. Degaussing is used on highly sensitive data, before the storage media proceeds to physical destruction.
Physical Data Destruction
The surest way to keep data from unauthorized access is destroying the storage media beyond irreversibly. Physical data destruction method is recommended for SSD flash drives because degaussing is ineffective on them. Methods of data destruction include:
Physical destruction is very effective in destroying data together with the storage media for highly sensitive data. Effective physical destruction requires special equipment, which is available to data destruction services.
Physical destruction is effective in destroying non-electronic data on paperwork. You must account for this data because it is also vulnerable to unauthorized access.
Validate Data Destruction
You must validate a process to ensure that it works as expected. Validation in data destruction is very important, especially for storage media for repurposing or recycling. It becomes very hard to control once it goes out of your door. Some famous data breaches happened because there was no validation that data is wiped off the devices as expected.
Document the Process
It is not enough for a data destruction service to say that they have destroyed data. They must document the process. You will want to see:
- Documentation showing the date of handover, transportation, and storage by the data destruction service
- Storage device details – brand, model, storage capacity and serial number
- Date and duration of data destruction
- Method (s) used in data destruction
- Videos and photos of the process
- Person in charge
Certify Data Destruction
Data destruction must also be certified. You need this certification as proof that they have completed proper data destruction. A certificate of data destruction is very handy where the law requires you to show a proven process.
Observing best practices in data destruction is very crucial in achieving the larger goal of data security. It keeps your organisation safe from the machinations of malicious actors and the attendant damage they bring to your brand.