Secure data destruction is a necessity when disposing of redundant or obsolete IT hardware.  This need could arise when you are moving into the cloud or upgrading IT hardware. Secure data destruction is essential for eliminating serious risks that come from unsecured data, including data beaches.  But the ordinary business is ill-equipped to handle secure data destruction.

Data destruction

Engaging a professional data destruction service is  a better option than  in-house data destruction for several reasons:

  • Better equipment–A professional service has qualified technicians and specialist equipment to handle data destruction. They have equipment such as degaussers, crushers and shredders, which an ordinary business may not have.
  • Cost-efficiency–It is more cost effective to delegate  data destruction than commit resources  to a one-off process.
  • Technical knowhow–A professional service has qualified technicians who can perform an auditable destruction.
  • Convenience–A business can delegate data destruction to professionals and concentrate on its core business operations.

While professional data destruction is advised, it is only secure if the data destruction provider is competent and follows a certifiable process.  How can you pick a competent data destruction provider who can handle secure data destruction satisfactorily?

Ask About Standards and Accreditations

You should pick a data destruction provider who uses industry leading tools. Blancco Data Erasure Solutions, for example, is a leading trusted brand in the industry. Data destruction at SPW deploys these tools for the highest level of secure data destruction.

There are global bodies that ensure standards in the data destruction business. The Asset Disposal and Information Security Alliance (ADISA) is an example.  A reputable data destruction provider should ideally be a member of ADISA.  This alliance has standards for its members for the disposal of end-of-life IT equipment, including secure data destruction of data stored. ADISA members  must follow an auditable process that verifies adherence to these guidelines.

Data destruction providers are guided by the industry standard ISO 27001. This standard provides guidelines on proper disposal of end-of-life equipment and secure data destruction. There are other  guidelines such as the Europe’s regulations in the Waste for Electrical and Electronic Equipment (WEEE).

Ask About  Verification and Auditing 

It is important that a data destruction provider shows that the data destruction process is verifiable and auditable. Among others, the data provider should provide:

Confidentiality Agreement

It is mandatory for a data destruction provider to commit and agree to keep the confidence and privacy of the data passing through their hands. This agreement should be specified in a confidentiality agreement that is enforceable by law.

Chain of Custody Report

This report will show the history of custody of IT assets, including data. It shows the transfer of IT assets, the location and date of transfer, the date and location of destruction, and all persons who handled the data at different stages.

Erasure Verification Report

This report shows the end-to-end process of each IT asset handled and the details of data destruction performed. It includes:

  • Client name
  • Equipment model, brand and serial number
  • RAM or HDD size
  • Storage media sanitization method
  • Number of passes performed
  • Number of bad sectors reported

Physical Data Destruction Report

This report should be generated when performing physical data destruction. It includes:

  • Details of the equipment (model, brand, serial number)
  • Photos and videos of the same
  • Video of the destruction process
  • Photos of the resulting debris
  • Weight comparisons of the debris and original equipment

Certificate of Data Destruction

This certificate is generated at the end of the data destruction process. The certificate is useful for  providing proof when required, for example, in legal inspections. This certificate should be generated within a week of the data destruction.

Ask About Technical Competency

A data destruction provider should show technical competency by having trained, bonded, and vetted technicians. They should also have the requisite equipment for erasure and physical data destruction, including degaussers, shredders and crushers.

Verify Insurance Details

You will need insurance when doing data destruction on IT assets that are for repurposing, recycling and donations. The data destruction provider should give an assurance that your equipment is in safe hands and be willing to take liability in case of damage.

Ask About Onsite Data Destruction

Sensitive data should ideally not leave custody of an organization. It eliminates risks of loss of equipment and data.  Onsite data destruction is also easier to monitor and supervise.  A data destruction provider willing to do the task onsite is more preferable than one who insists on shipping out the IT assets and data.

Secure data destruction should be a verifiable and certifiable process to ensure that your organization is always protected from risks associated with data handling. Picking the right data destruction provider is crucial in this process to ensure the process is lawful, enforceable, and verifiable. Remember that secure data destruction protects your business from external threats by preventing unauthorized access to your data.