Safely erasing data: the why, what and how

Three reasons to get serious about data removal

• An important goal of information removal is to reduce the risk of unwanted disclosure of sensitive information. You want to prevent (sensitive) data from ending up in the hands of unauthorized individuals such as cybercriminals.
• In addition, organizations face legal obligations around data storage, such as contractual agreements and the requirements of laws and regulations. For example, the General Regulation Data Protection Act (AVG) requires organizations to securely delete personal data once it is no longer relevant.
• Further, the improper removal of information can lead to a data breach. With all its consequences. Think of a fine from the regulator and reputational damage.

Five techniques for securely erasing information

• Data Overwriting: data are overwritten with other information to render the original - partially or completely unreadable.
• Degaussing: information stored on hard drives is erased with a process that uses strong magnetic fields.
• Cryptographic deletion: encrypted information is rendered unusable by destroying the keys.

• Shredding: paper documents are shredded beyond repair.
• Incineration: paper documents are burned completely.

Five best practices

• Create policies and procedures about information disposal. Consider topics such as: when data should be deleted; what techniques are used to delete information (digital and print); who is responsible for data deletion; and how practices are documented and monitored.

• Use reliable techniques to erase information. When transferring information, choose certified software. Use strict procedures to erase data from devices such as hard drives. Select a certified service provider to have paper documents and unused hardware destroyed.

• Pay attention to obsolete hardware. Storage media, such as hard drives, USB sticks and tapes, should be securely destroyed when no longer in use. Shredding, for example, is an option for the complete destruction of a hard drive.

• Control the disposal of information. It is important to document and monitor the work processes for the removal and destruction of information. This is possible through, for example, logging of data deletion, periodic audits of established procedures, and checks on the accuracy and completeness with which information is deleted.

• Ensure employee awareness. Employees play a key role in the proper handling of data deletion. Therefore, educate employees on why information should be deleted and what they can do about it. Practical advice might include regularly cleaning out the e-mail box, periodically emptying the digital recycle garbage can, and always shredding paper documents.