Data can be permanently erased (overwriting), rendered unreadable (degaussing), or physically destroyed (data destruction).

This document certifies that data destruction has taken place in accordance with all regulations, and is given to you by the data destruction provider. Beware of companies that claim to destroy data but can’t provide certificates of data destruction.

Under GDPR, companies aren’t necessarily responsible for directly destroying data, since they can (and should) entrust this process to a certified third party or IT disposal company. Similarly, the IT department within a company can’t be made responsible for this process. However, businesses have a responsibility to have designated data destruction procedures, and to monitor them even if they’re outsourced.

A data destruction policy is the written outline of the specific steps a business takes to securely destroy data. The policy specifies the procedures taken to destroy paper documents, but also any data contained in electronic or digital devices, such as computers, hard drives, mobile phones, and any other devices that store data.

Digitally held data is usually destroyed by destroying the storage media in which data was held, including all its components. The destruction can take place by crushing or shredding the storage device.

Professional data destruction is not a data breach. Rather the opposite, it’s done to prevent data breaches. However, accidentally or unlawfully destroying personal data constitutes a data breach.

This process involves using data destruction hardware that renders data stored in physical media fully unreadable and irretrievable, guaranteeing full confidentiality.  
 
What is the punishment for breaking the UK Data Protection Act? 
 
Infringing data protection laws in the UK is a serious matter that incurs fines, which are calculated based on a percentage of the infringing company’s total annual turnover, or issued as a specific amount.  
 
There are two types of fines: one for breaking data protection principles and people’s rights, and another for breaking administrative procedures.  
 
Moreover, the sanctioning authority, which in the UK is the Information Commissioner’s Office, can also issue formal reprimands, warnings, as well as temporary and permanent bans on processing data. 
 
What is the maximum fine for a data breach in the UK? 
 
The specific amount of data breach penalties is set on case-by-case basis, but can be as high as £17.5 million or 4% of a company’s annual global revenues, depending on which one is greater.  
 
It should be noted that a UK-based company involved in a data breach that affects EU customers can be fined under EU GDPR law, which sets the maximum fine to €20 million.

Only if this procedure is done by a certified data destruction company that follows best practices. On-site data deletion done by staff (such as deleting files, formatting devices, or emptying the Recycle Bin) doesn’t amount to data destruction and can have legal consequences. 

You’re required to choose destruction methods that ensure with all certainty that data can no longer be recovered. In addition, data must be disposed of in a timely manner, ensuring it’s not stored for longer than necessary.  

Not always. In computers and laptops, the hard drive only accounts for one storage location. Many newer computers are equipped a hard drive (HDD), and with an SSD (Solid State Drive), where data is also stored. Moreover, data can remain in the computer’s RAM memory under certain conditions, which means it could be harvested by unauthorised third parties. 
 

It depends on where data is stored, but the most common methods used as physical destruction via shredding or crushing storage devices, drive disintegration, overwriting, and magnetic degaussing. 
 

At Wisetek, we choose the most secure data destruction method for each media, ensuring it complies with local and national regulations. This could mean hard drive shredding, SSD disintegration, or other methods in line with the latest industry standards.

Data should be destroyed without undue delay when someone requests that you delete data you hold about them, unless there are compelling reasons to keep the data. Undue delay is generally considered to be 1 month. 
 
In addition, data should be destroyed as soon as possible after it stops being necessary for the purposes for which it was initially collected, processed, and stored. For example, if you gathered customers’ data for a Christmas marketing campaign, data should be deleted after the campaign is over.  

Essentially, data in electronic or digital form only stops existing if it’s destroyed or overwritten. Simply deleting data does not make it irretrievable, since the Delete button only tells the device to free up the block of space taken by a given file. By contrast, expert data destruction ensures that no data can be harvested or retrieved. 
 

A secure data destruction process can use different methods, depending on the device to be destroyed. Data in hard drives can be destroyed through overwriting, degaussing (removing data with a strong magnetic signal), or by physically destroying the hard drive.  
 
Data from solid state drives is best destroyed by physically destroying the drive (e.g. shredding, disintegrating, or crushing it).