Secure Data Destruction Under GDPR

Secure Data Destruction Under GDPR

By Marcus Ho

September 14, 2020

Even though it’s barely two years since the GDPR came into force, organizations are finding it overwhelming to be 100% in compliance. It is a never-ending challenge, and the easiest way is to break it down to bite-size chunks. This way, you can ascertain that you’re getting each regulation right. 

Remember, that the most important detail about all the GDPR is secure data destruction. There is a lot of confusion on what is secure data destruction under GDPR. Many SMBs have no idea that there are actually data destruction services they can count on. 

Blancco is one such company that ensures all its processes meet regulatory requirements across a multitude of countries. As a data erasure company, we understand just how important information is to any business. We ensure that you’re not at risk of data breaches, as well as regulatory non-compliance. We render the highest level of service and are accountable to every client we work with.

If the effectiveness of third-party shredding services cannot be guaranteed, and this margin of doubt puts you at risk of non-compliance. In fact, since you have to completely obliterate data, shredding is out of the question. After a successful data destruction, the information you initially had should cease to exist. 

You should find out the official changes your data erasure company has made post-GDPR. The destruction of sensitive data needs to be done through a reliable destruction process; otherwise, you’re better off destroying your data on your own. We have compiled a comprehensive article on everything you need to know about GDPR compliance to make this easy. 

Read on. 

How GDPR Can Be Your Halloween Fright×0/

Secure Data Destruction

Only complete destruction guarantees that you’ve securely erased your data. This is the key to being GDPR-compliant. Each time you receive a data erasure request, make sure you wipe or delete any information in full. 

Complete data destruction is designated as the right to be forgotten. As soon as such a request comes in, the company in question should destroy both electronic and physical data. The right to erasure also means that a company should halt any data collection related to the individual in question. 

It’s not in your interest as a business to ignore such requests because this won’t just destroy your customer to business relations; it can result in hefty penalties as well. Some of the piece of data you should destroy at the end of their life cycle include;

  • Invoices
  • Budgeting information
  • Personal details about staff and customers
  • Payroll

Follow these three steps to ensure you’re securely destroying this data.

Step 1 

Put in place the appropriate control that enables data owners permission and full rights over their information. 

Companies need to provide all users with the option to erase all personal data. This must be a practice option you implement to stem the flow of new content and delete the old, as soon as you can. 

Step 2 

As a business, you’re obligated to ensure your data erasure procedures are secure. Just deleting information via your server or operating system isn’t enough. In fact, even reformatting systems is still no guarantee because such data can easily be reconstructed as long as the physical media is still available.

Step 3 

You need to find proper disposal procedures that work on hardware and not digital forms of content alone. To guarantee that you have a permanent erasure solution, you should consider employing degaussing. This is the use of magnetic tape to render devices unusable and unreadable.

How is Data Destroyed

GDPR and the Challenges of Digital Memory - Science in the News

Since GDPR’s regulation reforms allow data subjects the right to have their information deleted, companies no longer have to keep vast quantities of information in mass storage. A clearly defined data erasure procedure is now a critical component for all organizations. 

Companies need a disposal strategy as expanding storage capacity is no longer a go-to data management solution. Just because technology facilitates storing vast quantities of data, it doesn’t mean this is the route to go; especially as far as GDPR compliance is concerned. 

Businesses should engage in digital transformations that ensure they can clear information when it’s no longer lawful to hold on to such data. 

Businesses should also work on implementing viable data deletion mechanisms that guarantee internal teams and third parties comply with GDPR requirements. This way, customers will be in a better position to take control of their personal data. 

Taking Care of Obsolete IT Equipment

Many businesses are at risk of data breaches because they don’t have the right protocol for disposing of obsolete IT equipment. What’s more, there is often little to no encryption on these devices.

Unprotected sensitive data leaves an organization vulnerable to unauthorized access and improper use of customers’ information. 

You need to use a trusted encryption system to protect sensitive data in your possession. This ensures that any attempt to access different files renders the information therein unusable. 

As a business owner, you should be a guardian of the sensitive information you get from your customers. With today’s bring your own device (BYOD) culture, you need to work harder to control data within your company. After all, prevention is always better than cure. 

Database Secure Records Destruction

The most secure way to destroy records in a database is by overwriting the media with new data. It is a relatively easy procedure because it can be done with software. You can selectively overwrite parts of data in a database to ensure you don’t lose the information you still need. You can also configure the overwriting software to free up space on your storage media. 

Overwriting is a low-cost procedure, and it is adequate for data removal as long as all your data storage locations are addressed. This is an environmentally friendly data removal method that helps you erase all remnants of deleted data.

On the downside, the procedure takes long to complete when you’re dealing with a high capacity drive. Additionally, the procedure might not be able to sanitize data from inaccessible regions, i.e., host-protected areas. Not to mention that there is no security protocol to cover you during these processes. This leaves your data subject to accidental or intentional parameter changes. 

You will need separate licenses for each hard drive you’re overwriting, and this makes the entire process ineffective for companies without a good quality assurance process. 

Another factor you should consider when overwriting your database is that this procedure only works when your storage media is in good working condition. If the database is not writable, you cannot use this procedure to erase your data. 

Media degradation, as well as advanced storage management, features usually render overwriting ineffective. Case in point, the use of RAID that allows your written data to exist in multiple locations for fault tolerance means that when you overwrite, there will still be remnants of data elsewhere. 

It is clear that while overwriting is cost-effective, it comes with its challenges. However, this is the best we’ve got at the moment, and if you follow guidelines by the National Institution of Standards and Technology, and the Department of Defense, you’ll be alright. 


Every business should ensure they’re in compliance with the GDPR. Understanding what these regulations require of you saves you from penalties and data breaches. Make sure you partner with a reliable data erasure company for proper data management and deletion

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Have a question? We're a message away.