Posted on

GDPR in the Data Centre – Secure data destruction

In the year since the EU General Data Protection Regulation (GDPR) came into effect, what impact has it had on those who operate, manage and use data centres? Has the data centre sector ‘upped its game’ with regards to data protection, privacy and security, or are there still those who are failing to take it seriously and comply with GDPR?

GDPR regulates the protection of natural persons with regard to the processing of personal data and on the free movement of such data within the EU and EEA. Even a post Brexit Britain is going to have to follow the GDPR if we want anybody to talk to us.

In our experience we’ve seen GDPR, PCI-DSS, ISO 27001 and EN 50600 all invoked in terms of the physical security of data centres and in our auditing work I would have to say this is rarely a problem.

One management area that we do look at, and often find shortcomings, is maintaining an audit trail for the secure destruction of data. Data can be held on paper, in which case it must be securely shredded and records kept of that destruction process.

By far the biggest store of data is of course going to be electronic and in the form of hard disks.  Most data centre users and managers now accept that you can’t just press delete and then sell off the old servers and disk drives.

Drives can be mechanically shredded, electronically shredded by overwriting the disk many times, wiping the disk in a large magnetic field, (degaussing) which isn’t going to work for solid state memories, encrypting the data so securely that wiping isn’t required or simply storing the disks on site forever with the same attitude as nuclear waste disposal.


An organisation can choose to destroy the data itself or use a third party contractor or even the original supplier to do the job. From a management auditing perspective however it is important to have a written process in place to describe what must happen and then an audit trail to record and prove the process.

The ideal would be to walk into a data centre and ask to see the asset register. Pick a storage medium recently marked as scrapped and then ask to see the destruction register that identifies the same part number, method of destruction, person responsible and date.

In our experience this is still an area that need some attention.

You may also be interested in the following whitepapers;

Requirement for data centre auditing for the Finance, Banking and Insurance industries

Data Centre ISO27001 Certification is not enough on it’s own

ISO Standards for data centre management

Related Courses