How We Wipe Your Data: Our NIST 800-88 Process

Dr Jan van Niekerk | 23 March 2026 |
How We Wipe Your Data: Our NIST 800-88 Process

When an organisation retires IT equipment, the data stored on that hardware does not simply disappear. For South African compliance officers and IT managers, improper disposal is a direct liability under the Protection of Personal Information Act 4 of 2013 (POPIA), and the consequences range from enforcement notices to criminal referral.

This article explains the exact sanitisation process we follow at Sell Your PC, how it maps to your POPIA obligations, and what documentation you receive so that you can defend your organisation in the event of a regulatory inquiry. By the end, you will have a clear picture of what a defensible, auditable ITAD process looks like and a checklist for evaluating any vendor you consider.

Note for South Africa:

  • POPIA came into full effect on 1 July 2021. The Information Regulator (INFOREG) is the sole enforcement authority and is actively investigating complaints and issuing enforcement notices.
  • POPIA Section 19 does not name NIST 800-88 by name. It requires "reasonable technical and organisational measures." Adopting a recognised international standard such as NIST 800-88 is one of the strongest ways to demonstrate that your chosen method meets that test.
  • The Cybercrimes Act 19 of 2020 operates alongside POPIA. Improper disposal that results in data exposure can engage both statutes, creating layered liability.

At a glance:

  • POPIA Section 19 requires reasonable technical measures throughout the data lifecycle, including at disposal.
  • NIST SP 800-88 Rev. 1 defines three sanitisation categories: Clear, Purge, and Destroy, each suited to different media types and data sensitivity levels.
  • Every asset we process is individually logged, classified, sanitised, verified, and covered by a Certificate of Destruction that names the method used and the serial number of the drive.
  • A signed data processing agreement between your organisation and any ITAD vendor is a POPIA requirement, not optional.

Key takeaways:

  • Software overwrite alone is not sufficient for SSDs and NVMe drives. Purge-level methods are required.
  • A Certificate of Destruction is only useful for audit purposes if it contains specific, verifiable information per asset.
  • When evaluating any ITAD vendor, ask for their written sanitisation policy, chain of custody records, and evidence of staff vetting before you sign anything.

Why POPIA Makes Data Sanitisation a Legal Obligation

What POPIA Section 19 Requires From Your Organisation

POPIA Section 19 requires every responsible party to take appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information. This obligation applies across the full data lifecycle, including at the point of disposal. The standard is not perfection. It is demonstrable reasonableness.

The practical implication is this: if a decommissioned laptop leaves your premises with recoverable personal data on its hard drive, your organisation has failed its Section 19 obligations regardless of whether a breach is subsequently discovered. The burden of proof lies with you. Adopting a named, auditable sanitisation standard is how you carry that burden.

Compliance officers should also note that POPIA Section 19 reasonable measures are interpreted in light of the sensitivity of the information concerned, the likely harm of non-compliance, and the size and resources of the organisation. A financial services firm handling client account data is held to a higher standard than a small business with minimal personal data.

How Third-Party Disposal Creates Shared Accountability

When you engage an external vendor to handle disposal, that vendor becomes an "operator" under POPIA. Sections 20 and 21 place specific obligations on the relationship. Section 21 requires your organisation, as the responsible party, to ensure that the operator processes personal information only with your knowledge or authorisation and maintains equivalent confidentiality and security standards.

This means a verbal arrangement is not compliant. You need a written data processing agreement that specifies the sanitisation method, the documentation you will receive, and the escalation process if something goes wrong. Without this agreement, your organisation retains full liability for whatever happens to that data after it leaves your building.

  • Confirm the vendor has a written sanitisation policy aligned to a named standard.
  • Ensure a data processing agreement is signed before any assets are collected.
  • Specify in the agreement exactly what documentation you will receive per asset.
  • Include an escalation clause for sanitisation failures discovered post-disposal.

What NIST 800-88 Is and Why It Is the Benchmark

NIST Special Publication 800-88 Revision 1 is a guideline published by the US National Institute of Standards and Technology. It is not a South African standard and POPIA does not mandate it. However, it is the most widely adopted, technically specific, and internationally recognised framework for media sanitisation, and it is for precisely this reason that it provides a credible, auditable basis for satisfying POPIA Section 19.

Organisations operating within an ISO 27001 framework may also reference the ISO/IEC 27040 storage security standard, which addresses sanitisation as part of secure storage lifecycle management and aligns broadly with NIST 800-88 categories. The South African Bureau of Standards has adopted ISO 27001 as SANS 27001, so organisations already working toward SANS certification will find these standards complementary rather than competing.

The Three Core Methods – Clear, Purge, and Destroy

NIST 800-88 organises sanitisation into three categories. The appropriate category depends on the sensitivity of the data and the type of media involved.

Category What it means Typical use case
Clear Logical overwrite using standard read/write commands. Protects against simple recovery tools. Low-sensitivity data on media being reused internally.
Purge Techniques that defeat laboratory recovery. Includes Cryptographic Erase and ATA Secure Erase. Moderate to high-sensitivity data. Required for SSDs, NVMe, and flash storage.
Destroy Physical destruction: shredding, disintegration, or incineration. Media cannot be reused. Damaged drives, drives with failed sanitisation, or highest-sensitivity data.

How NIST 800-88 Maps to Modern Storage Media

The distinction between Clear and Purge is particularly important for modern storage media. For traditional magnetic hard drives (HDDs), a verified overwrite can constitute a Clear-level sanitisation. For SSDs, NVMe drives, and flash-based storage, overwriting alone is not sufficient. Flash memory architecture uses wear-levelling algorithms that distribute writes across cells, meaning a standard overwrite does not guarantee that all data-bearing cells have been addressed.

For these media types, NIST 800-88 recommends Purge-level methods such as Cryptographic Erase, where the encryption key is destroyed rendering data unreadable, or manufacturer-specific Secure Erase commands where the drive’s firmware executes the sanitisation at the hardware level. This is not a technicality. It is the difference between data that is recoverable in a forensics lab and data that is not.

  • HDD (magnetic): Verified overwrite can satisfy Clear. Purge is recommended for sensitive data.
  • SSD / NVMe: Cryptographic Erase or hardware-level Secure Erase required for Purge compliance.
  • Flash / USB / SD: Purge or Destroy is recommended. Overwrite alone is unreliable.
  • Optical media: Destroy is the only reliable method.

Our Step-by-Step NIST 800-88 Sanitisation Process

Asset Intake, Logging, and Chain of Custody

Every asset collected by our team is logged at the point of intake. Each device receives a unique intake reference, and the make, model, and serial number of every storage device is recorded before the asset moves to the processing area. This intake log forms the first link in the chain of custody documentation that accompanies your Certificate of Destruction.

Chain of custody is not an administrative formality. It is the evidence that demonstrates each specific drive was handled by identified personnel at each stage of the process. If INFOREG investigates a complaint related to a disposed asset, the chain of custody record is what connects your organisation’s disposal decision to the verified outcome.

For corporate collections, assets are transported in sealed, tamper-evident packaging and are accompanied by a collection manifest signed by both parties. No asset leaves your premises without a documented handover.

Media Classification and Method Selection

Once assets are logged, each storage device is individually classified. The classification determines the sanitisation method applied. Our technicians assess the media type, the drive’s health status, and the sensitivity category specified in your data processing agreement.

This classification step is where the NIST 800-88 decision framework is applied in practice. A functioning SSD from a finance department machine will be routed to a Purge-level sanitisation workflow. A physically damaged HDD that cannot complete a software-based sanitisation will be flagged for physical destruction. The classification outcome is recorded per asset serial number.

Verification, Validation, and What Happens When a Drive Fails

Sanitisation without verification is incomplete. After each sanitisation pass, a verification process confirms that the method was applied correctly and that no recoverable data remains. The pass or fail result is recorded against the asset’s serial number in the processing log.

If a drive fails verification, it is not released. It is escalated to physical destruction. NIST 800-88 is explicit that drives which cannot be reliably sanitised via software-based methods must be destroyed. This is the only compliant fallback for drives that are damaged, encrypted with an unrecoverable key, or otherwise unable to complete the selected sanitisation method.

  • Verification confirms each sanitisation pass was completed correctly.
  • A failed verification triggers automatic escalation to physical destruction.
  • The destruction outcome is recorded and reflected in your certificate documentation.
  • No failed drive is re-attempted and released. The process is fail-secure.

What Your Certificate of Destruction Covers

A Certificate of Destruction is your primary documentary evidence that POPIA-compliant disposal took place. For it to be useful in an audit or regulatory investigation, it must contain specific information. A generic one-page certificate that states "data was wiped" is not sufficient for a compliance officer to rely on.

The certificate we issue covers each asset individually and includes the asset serial number, the make and model of the device, the sanitisation method applied (mapped to the NIST 800-88 category), the date and time of sanitisation, the operator who performed the process, the verification result, and the disposition outcome (resale, recycling, or physical destruction). This level of detail is what makes the certificate audit-ready.

Keep your certificates in a format that can be produced quickly. If INFOREG opens an investigation or you need to demonstrate compliance to a sector regulator such as the FSCA or HPCSA, the time to find this documentation is not after the inquiry has started.

  • File certificates by asset serial number for rapid retrieval.
  • Retain certificates for the duration of your data retention policy, plus a reasonable buffer.
  • Ensure the certificate references the sanitisation standard by name and version.
  • Confirm the certificate includes a named, identifiable operator, not just a company name.

Physical Destruction – When Wiping Is Not Enough

There are circumstances in which software-based sanitisation is not the appropriate method, regardless of media type. These include drives that are physically damaged or unresponsive, drives where the hardware encryption module has failed, optical media such as DVDs and CDs, and any media where the data sensitivity level requires the highest assurance of non-recoverability.

Physical destruction under NIST 800-88 includes disintegration, shredding, pulverisation, and incineration. The method selected must render the media unreadable and unrecoverable by any means. Our physical destruction process generates photographic evidence and a destruction log that is appended to your certificate documentation. The destroyed media is not resold or repurposed in any form.

It is worth noting that physical destruction is also the correct outcome for drives that fail the verification step. If a drive cannot be confirmed as sanitised, it must be destroyed. There is no third option under a compliant process.

How to Evaluate Any ITAD Vendor Before You Sign

The checklist below is designed as a vendor evaluation tool. Use it when assessing any ITAD provider, including us. If a vendor cannot answer these questions clearly and in writing, that is the answer.

POPIA-Aligned IT Disposal Due Diligence Checklist:

  1. Written sanitisation policy: Does the vendor have a documented policy aligned to a named standard such as NIST 800-88 or ISO/IEC 27040? Ask for the policy document, not a summary.
  2. Chain of custody documentation: Can they provide a complete chain of custody record per asset from collection to final disposition? Is it signed at each handover point?
  3. Certificate of Destruction format: Does the certificate include the asset serial number, sanitisation method, date and time, operator name, and verification result? Is it issued per asset or as a batch summary?
  4. Staff vetting and NDA obligations: Are all staff who handle your assets subject to background checks and bound by confidentiality agreements?
  5. Physical security of the processing facility: Is access to the processing area restricted and logged? Is CCTV in operation? Ask whether an on-site audit is possible.
  6. Professional indemnity insurance: Does the vendor carry professional indemnity insurance that covers a data breach arising from their sanitisation process? Ask for the policy summary.
  7. Audit trail per serial number: Can the vendor produce a processing record for any specific asset by serial number after the job is complete?
  8. Escalation process for sanitisation failure: What is the documented procedure if a sanitisation failure is discovered post-disposal? Is there a defined notification timeline and remediation step?
  9. Data processing agreement: Will the vendor sign a POPIA-compliant data processing agreement before any assets are collected? If not, do not proceed.

Our corporate IT asset disposal service is built to satisfy all of these criteria. If you have questions about any item on this list before engaging us, our team is available to walk you through the specifics.

Common Mistakes in Corporate IT Disposal

  • Treating disposal as an IT task, not a compliance task. Data sanitisation at end-of-life is a POPIA obligation. It belongs in your compliance register, not just your IT decommission checklist.
  • Relying on a single overwrite for SSDs. As noted above, this is not a compliant approach for flash-based media under NIST 800-88. Purge-level methods are required.
  • Accepting a batch certificate with no per-asset detail. A certificate that covers 200 drives without individual serial numbers cannot be used to demonstrate compliance for any specific asset.
  • Skipping the data processing agreement. Handing assets to a vendor without a signed agreement means your organisation bears the full risk if anything goes wrong.
  • Storing certificates in a format that is hard to retrieve. Compliance value is lost if you cannot produce documentation quickly when it is needed.
  • Not including disposal in your PAIA/POPIA information officer’s oversight scope. IT asset disposal should be part of your information governance framework, not siloed in IT operations.

If You Are New to POPIA-Compliant IT Disposal

  • Start by identifying all storage media in your decommission queue. This includes laptops, desktops, servers, external drives, and any device that has held personal information.
  • Review your current disposal process against POPIA Section 19. Ask: can you demonstrate that reasonable technical measures were applied to each asset?
  • Understand the difference between Clear, Purge, and Destroy before engaging any vendor. Know what your data sensitivity level requires.
  • Ensure your information officer is aware of the POPIA operator obligations under Sections 20 and 21 before any vendor agreement is signed.
  • Visit the Information Regulator South Africa website to familiarise yourself with current enforcement guidance and complaint procedures.

If You Have Done Corporate IT Disposal Before

  • Review whether your existing vendor agreements include explicit POPIA data processing clauses. Many agreements pre-dating 2021 do not.
  • Check whether your current certificates of destruction contain per-asset serial number data and a named sanitisation standard. If not, your audit trail has gaps.
  • Confirm whether your SSD and NVMe assets are being handled with Purge-level methods or whether your vendor is applying a simple overwrite and issuing a certificate regardless.
  • Consider whether your disposal process is documented in your organisation’s POPIA compliance framework and whether it has been reviewed since the Act came into full effect.
  • If your organisation is subject to sector-specific oversight (FSCA, HPCSA, or similar), verify whether additional data disposal requirements apply beyond POPIA Section 19.

Frequently asked questions

Does POPIA require us to use NIST 800-88 specifically?

No. POPIA Section 19 requires "reasonable technical and organisational measures" but does not name any specific standard. NIST 800-88 is referenced because it is an internationally recognised, technically detailed benchmark that provides a strong, auditable basis for satisfying the Section 19 test. Using it demonstrates that your chosen method was deliberate, documented, and defensible.

What is the difference between a Certificate of Destruction and a Certificate of Erasure?

A Certificate of Destruction typically covers both software sanitisation and physical destruction outcomes. A Certificate of Erasure is more commonly used to refer specifically to software-based sanitisation results. For compliance purposes, the label matters less than the content. The certificate must include the asset serial number, the method used, the date, the operator, and the verification result to be audit-ready.

Can we request on-site data wiping instead of sending assets to your facility?

Yes. On-site sanitisation is an option for organisations that cannot remove assets from their premises due to security policy or regulatory requirements. The same NIST 800-88 process applies, and the same chain of custody and certificate documentation is produced. Contact us via our contact page to discuss on-site arrangements.

What happens to assets after sanitisation – are they resold?

Depending on the asset condition and your agreement, sanitised assets may be resold through our hardware shop, donated, recycled, or physically destroyed. The disposition outcome is recorded in your certificate documentation. If you require that assets be destroyed rather than resold, this is specified in the data processing agreement before collection.

How long should we retain Certificates of Destruction?

POPIA does not specify a retention period for disposal certificates. As a working principle, retain them for at least as long as your organisation’s standard data retention period, or for the duration of any related contractual or regulatory obligation. Given that INFOREG investigations can be initiated months or years after an event, erring on the side of longer retention is a reasonable approach. Seek specific legal advice for your sector.

Summary

  • POPIA Section 19 requires your organisation to apply reasonable technical measures to personal data at disposal. Using a recognised standard such as NIST 800-88 is how you demonstrate compliance.
  • The correct sanitisation method depends on the media type. SSDs and NVMe drives require Purge-level techniques, not a simple overwrite.
  • A defensible ITAD process includes intake logging, media classification, sanitisation, verification, and a per-asset Certificate of Destruction with full method and serial number details.
  • A signed data processing agreement between your organisation and your ITAD vendor is a POPIA requirement before any assets are collected.
  • Use the due diligence checklist in this article when evaluating any vendor. Clear, written answers to every item are the minimum standard.

Explore our full range of professional services or read more expert articles in our insights section. If you have questions about our corporate disposal process or want to discuss your organisation’s specific requirements, get in touch with our team.
This is educational content, not legal advice.

author avatar
Dr Jan van Niekerk Chief Executive Officer
I'm a seasoned executive leader with a deep background in Data Science and AI, and a passion for all things blockchain and crypto. I proudly hold 5 degrees to my name (Ph.D. in Computer Science (AI) and an Executive MBA) which I leverage to do things differently. I have been involved in the crypto-mining space for 15+ years, where at one point, I owned the largest individually owned crypto mining operation in Africa (bragging point). I have turned the mining operation into a commercial engine where my team and I now help people and businesses in the crypto mining space (offering a full value chain service).
See Full Bio
Crypto Mining Cryptocurreny Mining ASIC Miners Crypto Equipment Mining Pools
social network icon