Skip to main content

Why is Data Sanitization a Must-Have for Your Organization?

Why is Data Sanitization a Must-Have for Your Organization?


Why is Data Sanitization a Must-Have for Your Organization?

October 2nd, 2023

In this tech-dominated environment generating an ever-increasing amount of information, organizations must properly address data from its creation to its destruction.
Although often forgotten, this last step is crucial in achieving data security and avoid the enterprises’ worst nightmare: a data breach! This article will explain what data sanitization is, how and when it should be performed and the associated good practices that must be implemented.

What is data sanitization?

Firstly, what is the definition of data sanitization and its potential implications? According to the International Data Sanitization Consortium (IDSC), it is “deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.” A twofold approach must be adopted: data sanitization should be considered throughout the asset lifecycle management and the information lifecycle management processes. To summarize, both the device and the data it contains must be addressed to achieve complete data sanitization.

Be careful though! It is a common mistake to think that the data is removed from a device whilst in fact some parts of the data can easily be recovered. This can result in data misuse, data losses, and/or data hacking, which can have serious consequences for data subjects and the liable company or organization.

What are the appropriate methods?

A case-by-case analysis should be performed considering the information confidentiality and the media type to determine the appropriate method(s) to achieve data sanitization. In that respect, the National Institute of Standards and Technology (NIST)’s Guidelines for Media Sanitization provides a decision flowchart as well as specific requirements to help organizations properly sanitize different types of media or devices. Three categories of sanitization have been identified by the NIST, but different aspects must be examined to select the most suitable one:



This process involves logical techniques that renders the data unrecoverable in all user-addressable storage locations, either by overwriting or by resetting the device to the manufacturing state. As this method is intended to protect against simple non-invasive data recovery techniques, it should not be used for sensitive data.


Physical or logical techniques that use state-of-the-art laboratory procedures to render data recovery infeasible such as cryptographic erasure (sanitizing the cryptographic keys used to encrypt the data, preventing read-access) and degaussing (using degaussers to demagnetize or neutralize the magnetic field used for data storage). Depending on the cost of the device, its potential reuse, or the difficulties to physically destroy some types of media, purge may be a more appropriate approach than destroy. However, it can be applied only if it has been verified that the device did not contain sensitive data before encryption.


Media destruction (e.g. shredding, disintegration, pulverization and incineration) precludes data recovery and further use of the media for storage of data. This method is costly and harmful to the environment as it shortens the lifespan of the device. Therefore, it should be adopted only when the device is irreparable or obsolete and was used to store very sensitive information or when it is not possible to remove data through digital means.

When should data sanitization be performed? 

Several situations may necessitate data sanitization:

  • during employee onboarding or departures;
  • on customer demand;
  • when equipment reaches the end of its lifespan;
  • in the context of data migration and cloud management or exit;
  • when data reaches the end of its lifespan or at the end of the retention period.

What are good practices that your organization should implement?

Several key practices can help pave the way for effective data sanitization. Firstly, it is important to organize this process efficiently in your organization: plan it from the start, have a standardized procedure and apply it to all data storage devices across the entire lifecycle of data. Secondly, special consideration should be given to the verification stage – not only after each sanitization action, but also on a representative sample of the stored sanitized medium kept for future use. Finally, all the operations carried out must be properly documented with full audit trails and supported by a certificate. With that in place, the company will be able to ensure the safe deletion of data.

The Bottom Line

Proper data sanitization procedures are a must-have for all organizations. This is necessary to comply with current data protection legislations, including Article 17 of the GDPR that gives data subjects the right to erasure. The reputation of the organization is at stake because, without a thorough framework in place, it is open to attacks and compliance failures. To top it off, the correct destruction of stored data will reduce IT costs as well as the risks of data breaches!

Marilyn Cloquette

Data Protection Manager Associate

Graham Southgate

DPO and Service Quality & Improvement Lead

We are supporting our clients in this sanitization process. If you are interested, feel free to reach out our team for support

Contact us