How to formulate data destruction policies to protect your company?


It is not safe to say that you threw away the hard drive and there is no need to worry about it. In today’s world of cybercrime, viruses, and pandemics you have every cause to be vigilant when it comes to data protection and how to manage the destruction of information that can be a liability to your organization and customers. One way to become a pro data destruction vigilante for your organization is to set up a data destruction policy as tough as superman.

You can set up the rules and establish a law in the land but without the enforcement you might as well throw it all in the trash. A separate department in your organization for data destruction and cyber security is enough by itself to deal with all your issues pertaining to your IT waste. Not only will you have a dedicated team to set up cyber security within the workplace but also to make sure that all IT assets being disposed of are managed properly according to procedures.

Procedures that are mandatory for everyone in the workplace to follow including yourself, the owner or the top dog. All data waste management procedures should be in accordance with the General Data Protection Regulation (GDPR) and that goes for companies in the US as well. The GDPR’s article 17 has stated the minimal requirements for an organization to have in place assure that no data is breached after an IT asset has been disposed off. A good procedure for data destruction would be in the following major steps: 

  • Device being erased for reuse:

    1. Backup all valuable data that is in use of the organization.

    2. Disconnect all links to the organization's network servers. (To evert threat of cyber breach during eraser process if outsourced)

    3. Make sure software being used does not occupy too much time to process so that assets are available for reuse as soon as possible.

    4. Once erased make sure that the device is functioning correctly (This is important if the device was outsourced to be erased)

  • Device being destroyed and scrapped:

    1. Backup all valuable data that is in use of the organization.

    2. Format the device completely (use of eraser software is recommended)

    3. Pick a certified data destruction company for the process (no liabilities)

    4. If possible, retrieve the scrap from the company if the data is extremely valuable.

These are just a few steps that can be added from the top to bottom to make sure your data destruction policies are enforced in the correct way.

You can only make someone truly feel at ease if you yourself are in a state of tranquility. If your customer or employee’s data has been hijacked due to a failed data destruction process, then all the blame falls on you. If you have the correct insurance plans in place and guarantees from data destruction companies, then all the lability falls on them giving you room to breath and not face a lawsuit. Make sure who you trust the job to in the first place.

After all the above methods and policies are applied, you must test all your procedures step by step by ethical hacking to make sure there are no loose ends on your part. This will identify all the weaknesses in your cyber security and data destruction process to make sure no valuable data is leaked.


About the Author

Haseeb Jamshed