How exactly is a hard drive shredded?

Throwing a written-off hard drive in the bin is not destruction. It is a data breach with a time lock. Software wiping helps sometimes, but for drives leaving the organisation, physical destruction is the only route an auditor accepts without discussion. So what exactly happens in such a shredder? In this article we walk through the whole process, from intake to certificate.

Why ‘wiping’ is not always enough

Software wiping, even to NIST 800-88, requires the drive to be functional and to execute the command. Faulty drives, drives with bad sectors or memory chips that no longer respond cannot be reliably overwritten. Moreover, the legal distinction between wiping and destruction matters, because the GDPR requires ‘appropriate technical measures’ and for retired hardware those typically sit on the physical side of the spectrum.

The shredding process step by step

1. Intake and registration. Each drive is scanned by serial number or asset tag and added to the inventory list. That is the start of the chain of custody.
2. Preparation. Drives are taken out of any caddies or laptop frames. For SSDs the housing is usually opened so the NAND chips enter the feed visible.
3. Feed into the shredder. The drive goes onto a conveyor belt towards the cutting chamber. Industrial HDD shredders run on heavy counter-rotating shafts with hardened blades.
4. Cutting. The blades rip open the housing, break the platters into pieces and shred them into particles. The magnetic coating bursts into fragments from which even a specialist lab can recover no coherent traces.
5. Output and weighing. The residue falls into a sealed container. The certificate is drawn up by weight or by unit count.

Which particle size is safe?

The DIN 66399 standard has its own H scale for hard drives. For business data with privacy sensitivity you typically end up at H-4 or H-5:

• H-3: particles up to 320 mm². Suitable for general business data without special categories of personal data.
• H-4: particles up to 30 mm². Level for customer administration, HR data and financial data.
• H-5: particles up to 5 mm². For special categories of personal data, medical files and confidentiality-professional domains.
• H-6 / H-7: 0.5 and 0.2 mm². Defence and intelligence level. In practice rarely required for commercial customers.

Rule of thumb: H-4 is enough for most SMEs. H-5 if you work with medical, legal or financially sensitive data.

SSDs need a different blade

An SSD contains no platters but NAND chips the size of a postage stamp. An HDD shredder aiming at H-4 for spinning drives can let a whole NAND chip pass undamaged through the output. For flash storage the particle size must therefore be considerably smaller than the chip itself. That is why the E classification of DIN 66399 for electronic components goes below 5 mm. Read our article on SSD destruction for the details.

Mobile or off-site?

We do shredding on site, in the truck. That saves a transport step in which the drives are still out of your sight on the move. Customers with IT asset disposal find mobile attractive because they can visually verify the destruction and sign off the serial-number list there and then. An off-site specialist with greater throughput can come out cheaper for hundreds of drives at once. For smaller batches with audit requirements, mobile is our preference.

What do you get afterwards?

A destruction certificate is not a formality. It is your evidence towards the AP and accountant. It states at minimum: date, location, quantity, serial numbers (where known), method used and the DIN classification. Keep it for at least five years in your processing register. Differences between providers and what distinguishes a good certificate from an empty sticker can be found in our guide on the certificate of destruction.

Not sure which DIN level your organisation needs? Call us or request a quote via desnipperaar.nl. We look at your inventory free of charge and advise a proportionate level.