The 4 Steps for Compliant Data Destruction

Complying with data privacy legislation requires four basic steps.  The first, and most important step in the process, is retaining possession of the media until the data has been securely removed or destroyed.  Steps 2 through 3 are properly  inventorying the media by serial number, destroying the media and obtaining a Certificate of Destruction from your vendor.

Step #1: On-site so you can Witness and Verify.

Office storage with old IT equipment
Hard drive shredding in Pasadena, CA

Hard drives, SSDs and/or backup tapes are moved from your data center to our shredding truck for processing.  This practice allows you to witness and verify that drives have been recorded and truly been destroyed.

Step #2: Inventory Media for Documentation

Pulling hard drives from storage units
Scanning serial numbers for NIST 800-88 Compliant Data Destruction

Hard drives pulled from servers, storage arrays and computers are staged into our scanning area.  Once collected, drives are scanned and inventoried for a detailed Certificate of Destruction report.

NIST 800-88 requirements go a step beyond capturing the hard drive serial number.  Compliance with NIST requires linking the hard drive to the associated computer.  See details below in the Certificate of Destruction Report.

Step #3 Physically Destroy Drives.

Hard drives are then destroyed at a rate of 1,000 PC drives per hour.  Physically destroying hard drives for data destruction satisfies NIST 800-88 and all other data privacy laws such as HIPAA.

shredded hard drives

Step #4: Certificate of Destruction

Certificate of Destruction - MPAA Content Security Best Practices

Our Certificate of Destruction details quantity  and type of digital destroyed, serial number, location,  and company personnel that witness the process.

NIST 800-88 Certificate of Destruction report requires, among other details, a link between the hard drive being destroyed and the computer from which is resided.  This information includes the make and model of the hard drive as well as the source computer.

NIST 800-88 reporting requirement for digital media destruction

Data Destruction Process Summary

In summary, a secure data destruction process should follow the four steps above.  The key point here is that your data destruction vendor has allowed you to witness and verify that your hard drives truly been destroyed.  The unbroken chain-of-custody should give your company confidence that confidential information will not be compromised.