Educate, Verify and Follow Up
Do not forget to look at your contracts with other companies to ensure you are handling data destruction within the terms of those contacts. For example, non-disclosure agreements sometimes contain data destruction terms and you must comply with those terms.
Educate your people and verify they are complying with your policy. This is particularly important with media that you are not destroying, but instead are reselling or recycling. You should take samplings as appropriate to ensure you maintain the proper levels of destruction. If you are doing the data destruction in-house, you need to verify your data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
Document the entire data destruction policy so you will know what media is sanitized and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions.
Finally, the last step of an effective data destruction policy is to have a process in place so you can follow up with regularly scheduled testing of your process and media to ensure the effectiveness of your policy.
Sign up for CIO Asia eNewsletters.