Last updated on May 12, 2022
Imagine this scenario:
Your business is feeling quite philanthropic lately and decides to donate 50 retired computers to a local charity.
Six months later, you see your company’s name on the front page of the newspaper:
Charity worker finds thousands of records containing sensitive personal information on donated computers. Recovered company data is believed to belong to customers who made purchases at [insert your company’s name here]
You can prevent an episode like this by implementing a data destruction policy.
What is a Data Destruction Policy?
A data destruction policy is a document that outlines how a company will destroy data when it is no longer needed. The policy should include what type of data will be destroyed, how it will be destroyed, and who will be responsible for destroying the data. Having a data destruction policy ensures that retired devices and media have their contents securely removed, destroyed, or overwritten so that it is extremely difficult or impossible to later retrieve data.
A data destruction policy affects:
- Mobile Phones: iPhones, Androids, Blackberries, etc
- Hard drives, flash memory devices,
- CDs, DVDs, Blu-Rays, and other tape storage drives
Why Implement a Data Destruction Policy?
There are many reasons why businesses need a data destruction policy. A data destruction policy ensures that data is destroyed in a secure and confidential manner. A data destruction policy minimizes the chances of a data or privacy breach and the liability your organization could face as a result.
Discarding retired desktop computers and laptops without securely destroying their data means they likely harvest a gold mine of personal information and confidential company data.
Pressing delete and sending files to the recycling bin is simply not good enough. With free, basic software online, anyone can effectively undelete everything sent to the recycling bin.
Implementing a Data Destruction Policy
When creating a data destruction policy, there are a few things to keep in mind. The policy should be tailored to the specific needs of the business. The policy should be reviewed and updated on a regular basis. And the policy should be communicated to all employees.
There are a few key elements that should be included in a data destruction policy:
- Identify what type of data will be destroyed.
- Outline how the data will be destroyed.
- Identify who will be responsible for destroying the data.
- Include a timetable for destroying the data.
In order to implement a data destruction policy, all devices and media that are to be retired from an organization’s use should be securely removed, destroyed, or overwritten.
Mobile Phones: iPhones, Androids, Blackberries, etc
Mobile phones usually do not have a standardized way to securely delete or remove their data. However, most phones will have a “hard reset” or “cold reset” button which will remove software and restore the handheld device to factory default settings.
After resetting the handheld, check to ensure that no company data remains on the phone before discarding.
Hard Drives and Flash Memory Devices
Whenever retiring old desktop computers or laptops, it is important to securely overwrite data on their hard drives and flash memory devices.
CDs, DVDs, Blu-Rays, and other tape storage drives
All optical and tape media should be physically destroyed when they are no longer necessary.
Implementing a data destruction policy is a must for all organizations.
Have you had success implementing a data destruction policy? If so, please share your thoughts in the comments below.