Secure Disposal: How to Properly Destroy Hard Drives, Documents, and Hardware

Data doesn't die on its own

When a company retires an old laptop, the following often happens: the IT department "deletes" the hard drive by emptying the recycle bin or formatting the drive. The laptop ends up in a box in the basement, where it gathers dust alongside twenty other old devices. Eventually the box is taken to the recycling center or handed off to a "disposal company" whose qualifications no one has verified.

The problem: a simple deletion or format only removes the reference to the data, not the data itself. With freely available software, formatted hard drives can be recovered in minutes. Security researchers regularly find confidential business data, health records, financial information, and personal photos on used hard drives sold at online auctions.

Improper disposal is not a theoretical risk. In 2019, the British Financial Conduct Authority levied a fine of 16.4 million pounds against a bank because customer data was found on improperly disposed hard drives. Similar cases have occurred in Germany, though fines have been lower so far.

Legal foundations

Several laws and standards require you to securely dispose of information carriers:

DSGVO (GDPR): Article 5(1)(f) requires the integrity and confidentiality of personal data in accordance with the deletion concept, including during disposal. Article 17 (Right to Erasure) requires that deleted data is actually irretrievably destroyed. Article 32 obligates you to implement appropriate technical and organizational measures, which includes disposal.

ISO 27001: Control A.7.10 (Storage Media) requires that storage media be securely disposed of when no longer needed. ISO 27002 specifies: media containing confidential information must be physically destroyed or securely erased using an approved method.

BSI IT-Grundschutz: Module OPS.1.2.7 (Sale/Decommissioning of IT) and the measures for data carrier destruction provide detailed requirements for secure disposal.

DIN 66399: The German standard for the destruction of data carriers defines security levels, material classes, and particle sizes. It is the central standard that auditors reference.

DIN 66399: Understanding security levels

DIN 66399 divides destruction into three dimensions: protection classes, security levels, and material classes.

Protection classes

Protection class 1: Normal protection requirements. Internal data whose disclosure would not have significant impact. Example: general correspondence, brochures, catalogs.

Protection class 2: High protection requirements. Confidential data whose disclosure would have significant impact on the organization. Example: personnel data, financial data, contracts, quotes.

Protection class 3: Very high protection requirements. Secret data whose disclosure would have existential consequences. Example: research data, military secrets, witness protection programs.

Security levels (1 through 7)

Each security level defines maximum particle sizes after destruction. The higher the level, the smaller the particles and the more difficult recovery becomes.

Level 1: General data. Paper: strips max 12 mm wide. Hard drive: rendered non-functional.

Level 2: Internal data. Paper: strips max 6 mm wide. Hard drive: damaged.

Level 3: Sensitive data. Paper: particles max 320 mm squared. Hard drive: deformed.

Level 4: Particularly sensitive data. Paper: particles max 160 mm squared. Hard drive: particles max 2,000 mm squared.

Level 5: Data requiring secrecy. Paper: particles max 30 mm squared. Hard drive: particles max 320 mm squared.

Level 6: Secret high-security data. Paper: particles max 10 mm squared. Hard drive: particles max 10 mm squared.

Level 7: Top-secret data. Paper: particles max 5 mm squared. Hard drive: particles max 5 mm squared.

Material classes

DIN 66399 distinguishes six material classes, each defining its own particle sizes:

• P: Paper, including in document shredders
• F: Film and microfilm
• O: Optical data carriers (CDs, DVDs, Blu-rays)
• T: Magnetic data carriers (hard drives, magnetic tapes)
• H: Hard drives (magnetic and SSD)
• E: Electronic data carriers (USB sticks, chip cards, smartphones)

Recommendation for organizations

For most organizations: personal data under GDPR requires at least security level 3, preferably level 4. Confidential business data (contracts, financial records, strategy) requires level 4. Highly sensitive data (research, patents, health records) requires level 5 or higher. Internal documents without special protection requirements can be destroyed at level 2 or 3.

Hard drives and SSDs: Delete, overwrite, or shred?

The secure disposal of hard drives and SSDs deserves special attention because these data carriers contain the largest volume of information and are simultaneously the most frequently improperly disposed of.

Why deletion and formatting aren't enough

When a file is deleted, the operating system only removes the directory entry. The data itself remains on the hard drive until it is randomly overwritten. A quick format only deletes the file system structure. Even a full format does not overwrite all areas of the data carrier. With forensic tools, data from formatted hard drives can often be recovered without difficulty.

Software-based overwriting (for reuse)

If you want to reuse a hard drive, you can overwrite it multiple times with specialized software. Established standards include NIST SP 800-88 (one pass with random data is sufficient for modern hard drives), DoD 5220.22-M (three passes: zero, one, random data), and the Gutmann method (35 passes — unnecessarily complex for modern hard drives).

For conventional magnetic hard drives (HDD), a single overwrite with random data per NIST SP 800-88 is sufficient. The previously recommended multiple overwrites date from a time when hard drive data density was much lower.

Caution with SSDs: Software-based overwriting is problematic for SSDs because SSDs redistribute data internally (wear leveling) and maintain areas inaccessible to the operating system (over-provisioning). A complete overwrite does not necessarily reach all data cells. For SSDs, the manufacturer-specific Secure Erase command (ATA Secure Erase), which is executed by the SSD's own controller, is recommended — or physical destruction.

Physical destruction (final disposal)

When a data carrier will not be reused, physical destruction is the safest method. Options include shredding in a certified data carrier shredder (per DIN 66399), degaussing (demagnetization) for magnetic hard drives (does not work for SSDs), and drilling or punching through the platters for low volumes when no shredder is available (not standard-compliant, but better than nothing).

For most organizations, engaging a certified disposal service provider who performs destruction on-site or at their facility and issues a destruction certificate is recommended.

Paper files and documents

Paper remains one of the most common information carriers. Contracts, personnel files, payroll statements, medical records, meeting minutes, and correspondence contain confidential information that must be protected during disposal.

Office shredders

For the daily destruction of individual documents, a shredder at the workstation or in the hallway is the most practical solution. Pay attention to the right security level: P-3 (particle cut, max 320 mm squared) as the absolute minimum, P-4 (max 160 mm squared) for confidential documents and personal data, and P-5 (max 30 mm squared) for particularly sensitive documents.

Strip-cut shredders (P-1 and P-2) are unsuitable for confidential documents because strips can be reassembled with reasonable effort. Invest in cross-cut devices that shred documents both lengthwise and crosswise.

External document destruction

For larger volumes — for example, when dissolving an archive, clearing an office, or regularly destroying accumulated documents — engaging a certified document destruction service provider is worthwhile. These providers place locked security containers that are regularly collected and destroyed at certified facilities.

When selecting a provider, look for: DIN 66399 certification with stated security level, an unbroken chain of custody (locked containers, GPS-tracked vehicles), security-vetted personnel, a destruction certificate with date, security level, and volume, and the option for on-site destruction (shredder truck) if documents should not leave the premises.

Other hardware: Smartphones, USB sticks, printers

Smartphones and tablets

Smartphones often contain more confidential data than a laptop: emails, contacts, calendars, photos, chat histories, credentials. Before disposal or handover, you must factory-reset the device. For modern smartphones with device encryption (iOS 8+, Android 6+), factory reset is sufficient because the encryption keys are deleted and the remaining data can no longer be decrypted. For older devices without encryption, a factory reset is not enough — only physical destruction helps.

USB sticks and memory cards

USB sticks and SD cards are too small and too cheap to securely overwrite and reuse. The most practical solution is physical destruction: crush with pliers or a hammer, then dispose of as electronic waste. For larger quantities: disposal through a certified service provider.

Printers and multifunction devices

What many forget: modern printers and copiers have built-in hard drives or flash storage that may contain copies of all printed, scanned, and copied documents. Before returning a leased device or disposing of a purchased one, the internal storage must be securely erased. Most manufacturers offer a secure erase function in the service menu. When in doubt, remove the hard drive and destroy it separately.

Magnetic tapes

Magnetic tapes are still used for backup and archiving. They must be degaussed (demagnetized) or physically shredded. Simple overwriting is possible but time-consuming and less reliable than with hard drives.

The disposal process: From decommissioning to verification

A structured disposal process ensures that no device and no document is "forgotten."

Step 1: Identification

When a device or document collection is due for disposal, it is marked as "scheduled for disposal" in the IT asset management system. In ISMS Lite, the disposal process is automatically triggered when an asset is removed from active inventory, including a checklist for secure data deletion and disposal documentation. Record the device type, serial number, previous user, and the type of data stored.

Step 2: Classification

Determine the protection requirements of the stored data and derive the required security level. A laptop from the development department has higher protection requirements than a monitor from the reception area.

Step 3: Data deletion or destruction

Perform data deletion or physical destruction according to the determined security level. For reuse: certified overwriting. For final disposal: physical destruction.

Step 4: Documentation

Create a disposal record for each disposed data carrier containing the device type and serial number, method applied and security level, date of destruction, person or service provider performing the destruction, and for external destruction, the service provider's certificate.

Step 5: Update asset management

Update the IT asset management: the device is marked as "disposed" and removed from active inventory. The disposal documentation is archived.

Common disposal mistakes

Hoarding old devices instead of disposing of them: In many companies, closets and basements are full of old laptops, hard drives, and smartphones that nobody wants to dispose of because "you never know." These devices are an uncontrolled risk. Define a maximum storage time for decommissioned devices (e.g., three months) and enforce it consistently.

Recycling bin instead of shredder: Confidential documents in the recycling bin constitute a data protection violation. Ensure that every office area has a document shredder or a locked container for confidential documents.

Disposal without verification: Without a destruction certificate, you cannot prove that data was properly destroyed. In an audit or data protection incident, this is a significant problem.

Service provider not verified: Not every "disposal company" operates per DIN 66399. Verify the certification, visit the facility, and audit the process chain.

Treating SSDs like HDDs: Software-based overwriting is not reliable for SSDs. Use Secure Erase or physical destruction.

Forgetting printers: The hard drive storage in printers and copiers is almost always forgotten during disposal. Include printers in your disposal process.

Disposal concept in the ISMS

Your ISMS should contain a disposal concept that covers the following points:

Scope: Which information carriers are covered (paper, hard drives, SSDs, USB sticks, smartphones, optical media, magnetic tapes, printers)?

Responsibilities: Who decides on disposal? Who carries it out? Who monitors?

Procedure per data carrier type: Which method is applied for which data carrier at which protection level?

Security levels: Which security levels apply to which data classes?

Service providers: Which external service providers are approved? What requirements must they meet?

Documentation: What records are created and how long are they retained?

Monitoring: How is compliance with the disposal concept verified?

Integrate the disposal concept into your IT asset management so the disposal process is automatically triggered when an asset is removed from active inventory. This prevents devices from disappearing into the gray zone between use and disposal.

Further reading

• IT asset management in the ISMS: Keeping the overview
• Deletion concept under GDPR
• Physical security in the home office: What employees need to know
• Documenting TOMs: Technical and organizational measures under GDPR
• Securing the server room: Access control, climate, fire protection, and monitoring