Data Deletion

Data deletion is the process of permanently removing data so it cannot be recovered. Correct deletion is a legal obligation under GDPR and an important security measure that protects against unauthorised access to obsolete data.

Back to Dictionary

What is data deletion?

Data deletion is about more than pressing "delete". When you delete a file on a computer, typically only the reference to the file is removed. The actual data still resides on the disc and can be recovered with recovery tools. Secure data deletion ensures that data is removed permanently and cannot be restored.

From a compliance perspective, data deletion is closely linked to the principle of storage limitation. GDPR requires that personal data is not stored longer than necessary. The right to be forgotten (Article 17) gives data subjects the right to demand deletion of their data.

Data deletion interacts with other security measures. Data classification determines which data requires secure deletion. Encryption enables cryptographic erasure. And logging documents that deletion has been carried out correctly.

Deletion methods

The choice of deletion method depends on the media type and sensitivity of the data:

Overwriting: Data is overwritten with random patterns one or more times. Effective for traditional hard drives (HDD). Standards such as NIST 800-88 describe approved methods.
Cryptographic erasure: Data is encrypted and the key is destroyed. The data itself remains on the disc but is unreadable without the key. Particularly effective for SSDs, where overwriting is unreliable.
Degaussing: A strong magnetic field destroys data on magnetic media. Renders the medium unusable and is suited for HDDs that are to be discarded.
Physical destruction: Shredding, crushing or incineration of media. The most secure method, but also the most expensive and least sustainable.

For cloud environments, cryptographic erasure is often the only realistic option, as you do not have physical access to the underlying hardware. Verify that your cloud provider has documented deletion processes.

Deletion policy and processes

A deletion policy defines when and how data is deleted. It should contain:

Retention periods: For each data category, how long data is retained. Periods may stem from legal requirements (e.g. bookkeeping legislation), contracts or internal decisions.
Deletion processes: Which method is used for which data type. Automated processes reduce the risk of data being overlooked.
Allocation of responsibility: Who is responsible for ensuring deletion? The data owner, the IT department or an automated process?
Documentation: Logging of deletion actions so the organisation can demonstrate compliance with retention periods.

Deletion must also cover backups. Data in backups is a challenge, because it is rarely possible to delete individual items from a backup. A pragmatic approach is to let backups expire naturally and ensure that deleted data is not restored during a potential recovery.

Use monitoring to verify that automated deletion processes run as planned and that data is actually removed from all locations, including caches, logs and replicated databases.

Regulations and standards

GDPR is the most direct driver for data deletion. Article 5(1)(e) requires storage limitation, and Article 17 gives data subjects the right to erasure. Organisations must be able to demonstrate that they have processes to handle deletion requests within one month.

ISO 27001 and Annex A include controls for disposal of media (A.7.14) and deletion of information (A.8.10). An ISMS should define deletion procedures as part of technical and organisational measures.

NIS2 and DORA require secure handling of data throughout the lifecycle, including at deletion. CIS 18 Control 3 specifically addresses data protection, including secure disposal.

Frequently Asked Questions about Data Deletion

Is it enough simply to delete a file?

No. When you delete a file normally, only the reference to it is removed. The data still resides on the disc and can be recovered with recovery tools. Secure deletion requires overwriting the physical sectors or using cryptographic erasure.

What is the right to be forgotten under GDPR?

GDPR Article 17 gives data subjects the right to have their personal data deleted when it is no longer necessary for the original purpose, consent is withdrawn, or the processing is unlawful. The organisation must delete data without undue delay.

How do you document that data has been correctly deleted?

Use deletion logs that record what was deleted, when and with which method. Automated deletion processes should generate audit logs. For physical destruction of media, you should receive a destruction certificate from the provider.

What about data in backups?

Data in backups is a challenge. A pragmatic approach is to let backups expire naturally and ensure that deleted data is not restored during a recovery. Document this approach in your deletion policy.