Navigating data erasure regulations poses a challenge for businesses that must decide what older standards still hold weight and how to comply with new ones created for emerging technologies.

David Stegon David is a technology-focused writer with more than 20 years of professional experience. A former reporter, David has written on a wide range of topics. As senior content writer at Blancco, he supports the company’s thought leadership, content marketing, and social media efforts.

Multiple Certifications, Outdated Standards Bring Confusion to Data Erasure 

Fredrik Forslund, Blancco’s vice president and general manager of Blancco International, joined ADISA’s “ITAD in 15” series for a panel titled, “Sanitisation Standards—Are Standards Being Deleted?” where he highlighted the ever-changing regulatory landscape. 

“It all comes down to achieving 100 percent sanitization,” Forslund said of the data erasure process. “We must follow the regulations in place. We also cannot lose sight of our ultimate goal to properly dispose of data.” 

The panel discussion, which featured host Steve Mellings, the founder of ADISA Certification, and James Derrick, risk compliance officer at Blackmore UIT, underscored the confusion many organizations face regarding data erasure standards. Organizations that must manage the personally identifiable information of customers often struggle to identify the proper regulations for their industry and the processes needed to appropriately sanitize data. 

For example, Forslund said it is not uncommon for Blancco customers to mention the need to meet DoD 5220.22-M, the U.S. Department of Defense data erasure standard first created in the mid-1990s, even though this standard is no longer advocated by the DoD. He also said companies would trumpet having NIST 800-88 certification, even though no such certificate exists. (NIST 800-88 provides guidelines for media sanitization but offers no official certification.)  

The Data Erasure Regulatory Environment and New Technologies 

The changing nature of technology creates unique challenges for both companies and regulators. Too often, standards lag technology innovation, which leaves businesses in a grey area about how to erase technology properly. 

For example, hybrid drives have two separate areas of storage: some flash memory (the SSD portion, a fraction of the total capacity) and spinning magnetic platters (as in traditional HDDs). Hybrid drives that have had a successful erasure and verification only show that the HDD drive has been processed. 

“We almost have to translate (these rules) for customers,” Derrick said. “There is a tendency for enterprises to run towards disruptive technologies. But there is often an absence of understanding how to work with them securely. The standards just do not keep up.” 

Mellings added that many users struggle to identify the proper standards. The struggle to follow and ensure following them provides the right level of erasure. “There are organizations that have no means of complying because they are not even aware of the [challenges] that exist.” 

You may be interested in:

How Blancco Helps Organizations Achieve Compliance with NIST SP 800-88

Blancco Eraser for Apple Devices

ADISA Verifies & Certifies Blancco’s SSD & Mobile Erasure Software

[Guide Book] NIST SP 800-88 “Media Sanitization Guidelines” Quick-Start Guide