Data Destruction and Data Destruction Certificates
)
‘Data’ refers to a value, or set of values, representing a specific concept or concepts. Essentially it is information. When discussing computer hardware, ‘data’ is simply the information stored or processed in your device. There may be a lot of it or only a small amount. Regardless of how much you have, you don’t want that information to go into the wrong hands. Whether you want to keep your company files private, or you’re protecting the security of client information, you need to be sure that all your data is removed from any devices you are disposing of.
Why is data destruction important?
Data destruction is the term used to describe the removal of data from an electronic device. Your hardware holds all kinds of data, some of which you cannot see. You wouldn’t want anyone to be able to access that data without your knowledge or consent, so deleting it from your hardware is essential for maintaining your private information.
Even when a user deletes a file and it is no longer visible to them, there still might be information stored deeper in your computer. Data destruction processes aim to completely eradicate all data stored on a device (even the information which isn’t easily accessible).
When you’re no longer in need of a particular device and you want to get rid of it, ensuring that all your data has been removed before your hardware gets recycled or reused is critical.
Data can be a powerful tool in the right hands. But, if your data ends up in the wrong hands, it can lead to disastrous outcomes such as identity theft, fraud, data leaks, legal ramifications and even business closure. This is why it’s so important to protect your security by choosing an effective data destruction process.
Methods of data destruction
Deleting/reformatting data
Deleting data, as mentioned above, only prevents the user from being able to access it. It doesn’t necessarily remove all traces of that information from the hard drive or memory chip.
The same is true for reformatting data. Reformatting your data replaces the original information with new information, but this doesn’t stop someone from accessing the original.
If you think of data like pages in a library book. Deleting data is like removing the reference number for where the book should be. It makes it more difficult to find, but it doesn’t remove the information.
You could also consider data as a sticker with all your sensitive information written on it. Reformatting it would simply be putting another blank sticker over the top.. Again, this will make it harder to access the original, but not impossible.
Wiping/Erasing/Overwriting data
Wiping data from a device is a much more secure method of data destruction. Your data is electronically stored as ones and zeros, like millions of switches. Wiping data electronically overwrites your data with a new pattern of ones and zeros. By doing so, it erases all the information on a drive and checks for “bit shadows”. Bit shadows are remnants of original data which signify that some information is still accessible. In most cases, one pass through this process is enough. Depending on the data-wiping software being used, this process will be repeated numerous times until no data remains and there are no detectable bit shadows.
Data destruction by wiping, erasing or overwriting data is one of the most commonly used methods, as it has a high success rate and the storage device can be reused once the process is complete. However, this can be a lengthy process (hours/days per drive) and it will only work on devices which are still in a ‘writable’ state. Broken or faulty drives may not allow the software to overwrite or erase data. It also won’t work on hard drives that contain advanced storage management components.
Degaussing data
Degaussing is a process which utilises high-powered magnets to destroy any data on the magnetic surface of a device using an electric current. Although this may be a more secure method of data destruction, it is hard to prove, as once the process is complete the drive will be completely inoperable (so you can’t get inside to see if there is any data left). In addition, since this method destroys the hard drive’s interconnect equipment, it will make it non-reusable (which is a waste of valuable resources).
Physical data destruction
As you might have guessed, physical data destruction refers to the physical breaking and damaging of equipment, such as smashing a hard drive with a hammer. This is fairly effective in terms of data security, however, data could still be recovered by an expert from the remaining shards. Plus, this method is bad for the environment, as the toxic elements inside computer hardware can be released into the atmosphere.
Data shredding
Data shredding is another form of physical data destruction. Data-containing drives are put through a machine which literally shreds the metals down to tiny pieces (no more than 2 millimetres in size). This process completely obliterates the device so that no data can be recovered. Although this is arguably the most secure and cost-effective method of data destruction, it is far from environmental. The metal fragments left behind can be recycled, but this will create more greenhouse emissions than just wiping and reusing a device.
What regulations are there for data destruction?
Although there are several regulations in place to monitor the use and maintenance of data, there are no standardised methods for removing data from a device. That is why it is important to find the right method for your needs.
As the holder of this data, you are liable to legal ramifications should it be misused. When you dispose of a device, you recognise that you will no longer be able to manage the security of that data, so you must ensure that it is safe from any future user who may gain access to your old device.
The Information Commissioner's Office (ICO) is a government organisation that manages regulations and compliance with data security. It works on behalf of the UK public to provide rules and guidelines to outline how data can be used and stored. Any organisation that stores or processes customer information should be registered with the ICO.
Data destruction certificates
What’s almost as important as destroying your data effectively is being able to prove it. For many businesses, this will be necessary to demonstrate the security of their client’s data. Data destruction certificates should list a detailed account of the devices that were processed, including serial numbers, makes and models. This will help you to audit all of the assets which were destroyed and will demonstrate that you have adhered to GDPR.
Choosing the right data destruction for your business
When thinking about the right data destruction method for your business, you will need to consider:
-
Cost
-
Time
-
Sustainability
-
Compliance
-
Documentation
Make sure to research the reputation of any business you are considering using for your IT asset disposal. Ask them what methods they use and what accreditations they have to demonstrate their data security. There are many standards for data security, so it is good to know which standard a prospective business adheres to (eg. Adisa or ISO27001).
Consider the variations in cost and time, as depending on the volume of items you plan on processing, the best method to use may change. Finally, think about the sensitivity of your data. Is a light-touch approach good enough? Or do you need a robust solution to safeguard your organisation from leaked information?
Whatever data destruction method you choose, make sure it is the one that aligns best with your goals and values. What may be a good solution for one company, may not be for another.
