Data Destruction

According to your needs and device type

Revision-proof deletion and destruction of data media
Hard disk drives - SSDs - Storage systems - End devices
according to existing standards or your specifications

Inventory of hardware by type

Inventory

Classification of data in protection classes 

Categorization

Data erasure or destruction of data carriers

Method selection

On site or off site including certificate

Destruction

We handle the deletion of data carriers and device configurations on site or off site

In the course of hardware recycling, we ensure that the data contained on the devices is deleted. In doing so, we follow recognized guidelines such as NIST800-88 and your internal guidelines.

Inventory

At the latest at the end of the life cycle of a device, the question of secure and regulation-compliant data destruction arises. It is only possible to avoid erasure if the publication of the data does not have any negative impact on the company, the company assets or the persons concerned. We support you with the inventory and categorization of your hardware according to data carrier type.

Classification of data

The classification of the data determines the need for protection and thus basically the handling of the data carriers. Ideally, a guideline (Data Classification Policy) already exists in the company on the basis of which the data is classified by the individual organizational areas or per IT system.

Usually there is a subdivision into three to five protection levels according to the type of data, the possible damage to the company or persons in case of unintentional publication or according to legal regulations (e.g. GDPR, BDSG, E-Health).

Examples of protection level classifications:
+ According to possible damage caused by publication
  • None(public)

No negative effect on the company, company assets or individuals

  • Minor (intern)

Minor negative impact on the company, company assets or individuals

  • Medium (confidential)

Manageable negative impact on the company, company assets or individuals

  • High (strictly confidential

Serious or catastrophic negative impact on the company, company assets or individuals

+ GDPR Protection level concept of the LfD Lower Saxony
  • Protection level A

Personal data that has been made freely accessible by the data subjects.

  • Protection level B

Personal data, the improper handling of which does not indicate any particular negative impact, but which has not been made freely accessible by the persons concerned.

  • Protection level C

Personal data, the improper handling of which could affect the social position or economic circumstances of the data subject ("reputation").

  • Protection level D

Personal data, the improper handling of which could significantly affect the social position or economic circumstances of the data subject ("existence").

  • Protection level E

Personal data whose improper handling could affect the health, life or freedom of the person concerned.

+ GDPR Protection Level Concept Independent Data Protection Centre Saarland
  • Low or minimal need for protection

This includes personal data, the processing of which is not expected to have any particular negative impact on the right of self-determination with regard to information.

  • Medium protection requirement

This includes personal data, the processing of which is likely to have a particular negative impact on the right to self-determination in terms of information, in so far as the data subject's social position or economic circumstances may be affected.

  • High need for protection

Personal data fall into the category of high protection requirements if their processing is likely to significantly affect the right to informational self-determination to the extent that the data subject's social position or economic circumstances may be significantly affected or the data require a higher level of protection than level one due to their particular sensitivity or context of use.

  • Very high need for protection

This includes personal data whose processing is likely to pose a very high risk to the right to informational self-determination insofar as there is a danger to life or the personal freedom of the person concerned.

+ Official security classifications
  • VS-OFFICIAL USE ONLY

If such information may be disadvantageous to the interests of the Federal Republic of Germany or one of its countries

  • VS-CONFIDENTIAL

If such information could be harmful to the interests of the Federal Republic of Germany or one of its countries

  • SECRET

If knowledge by unauthorized persons could endanger the security of the Federal Republic of Germany or one of its countries or cause serious damage to its interests

  • TOP SECRET

If knowledge by unauthorized persons could endanger the existence or vital interests of the Federal Republic of Germany or one of its countries

Method selection

Based on data classification, the correct procedure for data destruction can be selected. Besides the type of data carrier, ecological and economic aspects become relevant.

The guidelines of the American National Institute of Standards and Technology (NIST) are often used as an aid to selecting the appropriate process (http://dx.doi.org/10.6028/NIST.SP.800-88r1). These provide a general overview of the available methods and make recommendations regarding which erasing method should be used depending on the type of device and protection level.

It should be noted that due to the large number of systems available on the market, the NIST guidelines cannot take into account the manufacturer-specific characteristics of the products. Thus, depending on the system, there may be further options for effective data destruction.

On site or off site

In the best case scenario, verified data deletion takes place as part of the decommissioning process using pre-defined procedures, before the data carrier or device leaves the company.

Whether this is done by defined personnel or by a service provider depends on the compliance requirements of the company and the sensitivity of the data.