What are the risks of not destroying data on retired IT equipment?

Risks include: data breaches from recovered drives (42% of second-hand drives contain recoverable data per Blancco studies); regulatory penalties under DPDP Act 2023 and IT Act 2000; reputational damage; insider threats from employees handling retired equipment; and corporate espionage if competitor-sensitive data is exposed.

What are a company's legal obligations for data destruction in India?

Under the IT Act 2000 Section 43A, companies must implement 'reasonable security practices' for sensitive personal data. The DPDP Act 2023 mandates data deletion when no longer needed. ISO 27001 requires formal asset disposal procedures. Non-compliance can result in penalties up to Rs 250 crore under the DPDP Act.

What is the most secure method of data destruction for businesses?

For highest security: physical shredding (HDDs reduced to particles below 2mm) is the gold standard and only method that provides 100% certainty. Degaussing (magnetic field erasure) is highly effective for HDDs and tapes. Certified software wiping (DoD 5220.22-M or NIST 800-88) is suitable for most business use cases. SSDs must be physically destroyed as degaussing is ineffective.

Do businesses need a Certificate of Data Destruction?

Yes, a Certificate of Data Destruction is essential for corporate compliance. It provides proof of duty of care, satisfies internal and external audits, is required for ISO 27001 certification, helps with DPDP Act compliance documentation, and protects company officers from personal liability in case of a data breach investigation.

How often should businesses conduct IT asset disposal?

IT best practice recommends replacing equipment every 3-5 years. Data destruction should occur immediately when a device is decommissioned, not at year-end batch disposals. Unmanaged retired devices sitting in storage rooms remain a significant data breach risk. Ewaste Kochi recommends scheduling quarterly or semi-annual ITAD reviews.

Why Data Destruction is Critical for Businesses – India IT Act & GDPR

When a business upgrades its computers, the old machines typically get sold to a recycler, donated, or discarded. What most IT managers don't consider: the data on those drives doesn't go away when you delete files or even format the drive.

With free recovery tools like Recuva or TestDisk, anyone can retrieve "deleted" files from a drive in minutes. If that drive contains employee records, customer data, financial information or trade secrets — you have a serious problem.

Real scenario: A 2022 study by Blancco found that 42% of secondhand storage devices purchased on the open market still contained recoverable data from previous owners — including personally identifiable information, corporate emails and login credentials.

What Data Survives "Deletion"?

When you delete a file or even format a drive, the operating system only removes the file's index entry. The actual data blocks remain on the disk until physically overwritten. This means:

Employee records, payroll data, HR documents
Customer databases (names, contacts, purchase history)
Financial records, tax data, audit files
Emails and internal communications
Passwords, encryption keys, authentication tokens
Trade secrets, R&D data, client contracts

All of this can be recovered from a "wiped" or "formatted" drive using freely available software.

Legal Obligations Under Indian Law

Indian businesses handling personal data are subject to two key frameworks:

IT Act, 2000 (Section 43A & 72A)

The IT Act penalizes companies that negligently handle "sensitive personal data" (SPDI). Liability can be civil (compensation to affected persons) and criminal (up to 3 years imprisonment). Improper disposal of drives containing customer SPDI can trigger liability if that data is subsequently misused.

Digital Personal Data Protection Act, 2023 (DPDP)

India's new DPDP Act explicitly requires data fiduciaries to ensure personal data is erased when no longer needed. Failure to ensure proper erasure — including on decommissioned hardware — can attract penalties of up to ₹250 crore.

GDPR (for businesses handling EU data)

If your business processes any personal data of EU citizens, GDPR applies regardless of where your servers are. GDPR Article 5(1)(e) requires data minimization and erasure. Penalties: up to €20 million or 4% of global annual revenue.

The Right Methods for Data Destruction

1. Certified Software Wiping

Best for: Devices going to resale or redeployment. Standards: DoD 5220.22-M, NIST 800-88 Purge. A Certificate of Wipe is generated per device. The drive can still be used after wiping.

2. Degaussing

Best for: HDDs and LTO tapes only (not SSDs). An industrial degausser applies a 20,000+ Oersted field, destroying all magnetic data. The drive cannot be used after degaussing. Meets NSA/CSS EPL requirements.

3. Physical Shredding

Best for: SSDs, NVMe drives, USB drives, memory cards — any flash storage. Also used when absolute certainty is required for HDDs. Industrial shredder reduces media to <5mm fragments. Certificate of Destruction issued per device.

Rule of thumb: For HDDs going to recycling (not resale), degaussing + shredding is the gold standard. For SSDs, only physical shredding guarantees data is unrecoverable. For devices being resold/donated, certified software wipe with a COD is acceptable.

What a Certificate of Destruction Should Include

Company name and address
Serial number of each device destroyed
Destruction method used
Date and location of destruction
Weight or quantity of media destroyed
Authorized signature and company seal of the recycler

This certificate is your legal proof of compliance — keep it on file for at least 3 years after the disposal event.

Choosing a Data Destruction Partner

Not all recyclers offer proper data destruction. When evaluating a vendor, verify:

CPCB authorization (mandatory for e-waste recyclers in India)
Compliance with NIST 800-88 or DoD 5220.22-M standards
On-site destruction option (data never leaves your premises)
Audit trail: device-level serial number tracking
Proper Certificate of Destruction format

Ewaste Kochi is a CPCB-authorized data destruction and e-waste recycler in Kochi. We offer certified wiping, degaussing and physical shredding with a Certificate of Destruction per device. On-site shredding available. Learn about our data destruction services →

Why Data Destruction is Critical for Your Business

What Data Survives "Deletion"?

Legal Obligations Under Indian Law

IT Act, 2000 (Section 43A & 72A)

Digital Personal Data Protection Act, 2023 (DPDP)

GDPR (for businesses handling EU data)

The Right Methods for Data Destruction

1. Certified Software Wiping

2. Degaussing

3. Physical Shredding

What a Certificate of Destruction Should Include

Choosing a Data Destruction Partner

Protect Your Business Data Today