2LRN4 security awareness platform
← Back to knowledge base

Securely destroying data: paper, drives and cloud data

Deleting is not the same as destroying, and not all data may simply be thrown away. How to make paper, drives and cloud data truly unreadable, and how legal retention obligations set your timeframe.

Recently updated

From insight to action

See how to turn this topic into a practical awareness program with training, phishing simulations and clear management reporting.

Book demo View the primary solution page
Alain Rees
Founder & Security Awareness Specialist · 2LRN4

Privacy does not end with storing data; the end of its life matters too. The GDPR requires storage limitation: do not keep data longer than necessary. But the GDPR is not the only law in play. Other laws may instead require you to keep data for a minimum period, sometimes years. Secure destruction therefore starts with two questions: may this go yet, and if so, how do I make it truly unreadable?

Why deleting is not enough

Dragging a file to the bin does not really remove it: the data often stays on the drive until overwritten and can be recovered with recovery software. The same goes for a quick format of a USB stick.

With paper the risk is even more tangible: a discarded document with customer data in a paper bin is accessible to anyone. Secure destruction therefore calls for a deliberate method per type of medium.

May it go yet? The GDPR is not the only law that sets the timeframe

The GDPR says: do not keep longer than necessary. But other laws sometimes say the opposite, namely that you must keep certain data for a minimum period. Destroy too early and you breach those laws; keep too long without grounds and you breach the GDPR. It is about the right balance, not about wiping as fast as possible.

Because the GDPR is European but retention rules are national, the exact periods differ per country. Typical categories with a legal retention period include:

  • Tax and accounting records: most countries require business records to be kept for several years (often six to ten).
  • Public-sector archiving: government bodies must keep or dispose of records according to national archiving laws and selection lists.
  • Health records: medical files usually carry a long, legally set retention period.
  • Employment and sector rules: contracts, payroll data and industry-specific requirements each have their own period.

Paper: shred, don't discard

Shred documents with personal data instead of putting them in the regular or even the paper bin. Use a cross-cut shredder, which cuts paper into small confetti rather than long strips.

For larger volumes, a certified secure destruction service is a good choice. It provides proof of destruction, which is handy during an audit.

Drives and devices

Digital media need a method that truly renders the data unreadable:

  • Secure wiping: software that overwrites the drive multiple times so recovery is impossible.
  • Encryption first: an encrypted drive is effectively wiped by destroying the key.
  • Physical destruction: for retired drives; have them shredded or pierced by a certified service.
  • Don't forget peripherals: printers, copiers and phones often retain data unnoticed.

Cloud data and backups

In the cloud, "gone" is not always truly gone. Deleted files often land in a bin first and may still sit in backups. Check how long your provider retains deleted data and backups.

Set out in the data processing agreement that the provider permanently deletes data at the end of the contract. Ask for proof of destruction where needed.

How to embed this in your awareness programme

Destruction is behaviour and process; your awareness programme must touch both.

  • Combine a short module with practical aids: a shredder within reach, a hand-in procedure and a visible retention schedule.
  • Make the retention schedule that combines the GDPR and legal retention obligations visible, so people know when something may genuinely go.
  • Build 'secure disposal of devices' into your offboarding and IT processes.
  • Offer depth via our course catalogue.

Related articles

FAQ

May I always delete data as soon as I no longer need it?

Not always. The GDPR requires keeping data no longer than necessary, but other laws may impose a minimum retention period. Tax and accounting law, public archiving law and health-record rules often require several years. Only destroy once no retention obligation applies any longer.

Which laws determine how long I must keep data?

Besides the GDPR, typically tax and accounting law (often six to ten years), national archiving law for public bodies, health-record legislation and various sector and employment rules. The exact periods are national, so draw up a retention schedule per data type.

Is a file in the bin really deleted?

No. Emptying the bin only removes the reference; the data often stays on the drive until overwritten and can be recovered with recovery software. Use secure wiping or physical destruction for sensitive data.

How do I destroy paper with personal data?

Shred it with a cross-cut shredder instead of putting it in the paper bin. For large volumes, use a certified destruction service that provides proof of destruction.

What do I do with an old work laptop or phone?

Hand it in following your organisation's procedure. The drive must be securely wiped or physically destroyed, and remember SIM and memory cards. A reset alone is not always enough for sensitive data.

Is cloud data really gone after deletion?

Not always immediately. Deleted files often remain in a bin and in backups. Check your provider's retention periods and set out in the processing agreement that data is permanently deleted after the contract.

Next step

Use this article as the foundation and then see how 2LRN4 turns this topic into audience segmentation, training and reporting.

Book demo Download guide More articles