DC
CertDestroyGenerate Certificate

Data Destruction Requirements by Industry

Different regulations impose specific requirements on how organizations must handle end-of-life data. Understanding what your industry mandates is the first step toward compliant media sanitization and proper documentation.

H

HIPAA — Healthcare

The Health Insurance Portability and Accountability Act requires covered entities and business associates to implement safeguards for protected health information (PHI) throughout its lifecycle — including disposal.

Key Requirements

  • §164.310(d)(2)(i) — Disposal: Covered entities must implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored.
  • §164.312(a)(2)(ii) — Encryption: If media was encrypted with FIPS 140-2 validated encryption and the key is destroyed, this may qualify as a valid sanitization method.
  • Documentation: HIPAA does not prescribe a specific destruction method, but requires that the method used renders PHI unreadable, indecipherable, and unable to be reconstructed. Documentation of destruction (certificates) is considered a best practice and is expected during audits.
Penalty risk: HIPAA violations can result in fines from $100 to $50,000 per violation, up to $1.5 million per year per violation category. Improper disposal of PHI is a common finding in OCR investigations.
G

GDPR — European Union

The General Data Protection Regulation applies to any organization that processes personal data of EU residents, regardless of where the organization is located. Its data minimization and storage limitation principles directly impact media sanitization practices.

Key Requirements

  • Article 5(1)(e) — Storage limitation: Personal data must be kept only for as long as necessary. When no longer needed, it must be erased or anonymized.
  • Article 17 — Right to erasure: Data subjects can request deletion of their personal data. Organizations must be able to demonstrate that data has been irrecoverably erased from all media.
  • Article 5(2) — Accountability: Controllers must demonstrate compliance with GDPR principles. Certificates of destruction serve as evidence of compliant data erasure.
  • Article 28 — Processor obligations: When using a third-party processor (e.g., ITAD vendor), the controller must ensure proper data destruction and obtain documentation.
Penalty risk: GDPR violations can result in fines up to 4% of annual global turnover or €20 million, whichever is higher.
P

PCI-DSS — Payment Card Industry

The Payment Card Industry Data Security Standard applies to any organization that stores, processes, or transmits cardholder data. It has explicit requirements for media destruction and documentation.

Key Requirements

  • Requirement 9.4.6: Destroy media when it is no longer needed for business or legal reasons. Methods include cross-cut shredding, incineration, pulping, or degaussing.
  • Requirement 9.4.6.1: Maintain logs or records of destroyed media, including the method used and the date. Certificates of destruction fulfill this requirement.
  • Requirement 9.4.7: Electronic media containing cardholder data must be rendered unrecoverable using a secure wipe program, degaussing, or physical destruction.
  • Vendor management: If a third party performs destruction, verify that they are compliant and obtain a certificate of destruction.
Audit note: QSAs (Qualified Security Assessors) will verify media destruction logs and certificates during PCI-DSS assessments. Missing documentation is a common audit finding.

Side-by-Side Comparison

RequirementHIPAAGDPRPCI-DSS
Certificate required?Best practiceRequired (accountability principle)Required (Req 9.4.6.1)
Specific method mandated?No — must render PHI unrecoverableNo — must ensure irreversible erasureYes — shredding, degaussing, or secure wipe
NIST 800-88 referenced?Commonly recommended by HHSNot specifically, but acceptedYes — referenced as acceptable standard
Retention period6 yearsAs needed to demonstrate compliance1 year minimum

Best Practices Across All Regulations

  • ✓ Follow NIST 800-88 guidelines as a baseline for all sanitization activities
  • ✓ Generate a certificate of destruction for every batch of media sanitized
  • ✓ Include detailed asset-level information (serial numbers, asset tags, media types)
  • ✓ Maintain certificates for at least 6 years to satisfy the longest retention requirement
  • ✓ Verify third-party destruction vendors and obtain their certificates

Generate Your Data Destruction Certificate

Create a professional, compliance-ready certificate of data destruction in minutes. Upload your asset inventory, fill in the details, and receive a polished PDF.

Create a Certificate — $29