Why Certified Data Erasure Is Non-Negotiable in the Age of DPDPA and GDPR ?
“We deleted the data.”
That single, fatal sentence has cost companies millions. The problem? Deleting data isn’t the same as erasing it. Just ask Morgan Stanley, who learned this the hard way—and paid $60 million for the lesson. Ask the then-famous Bollywood couple whose private moments went viral, leading to heartburn and stress in public life
Let’s rewind.
In 2020, Morgan Stanley decommissioned two data centers. The hard drives were removed, resold, and assumed to be wiped. But data isn’t a polite guest—it lingers. Social Security numbers, account credentials, and portfolio data were still recoverable from those drives. This wasn't just a technical oversight. It was a legal catastrophe.
A leaked video of Shahid Kapoor and Kareena Kapoor from 2004, while they were dating, caused a stir in the media. The video, reportedly a lip-lock, was leaked, and Shahid Kapoor later discussed how the incident affected him, stating it was a "painful period" and that he felt "destroyed" by the leak. The incident is often cited when discussing when a unerased mobile phone is sold while buying a new one.
The Stakes of Data Disposal in 2025: Higher Than Ever
In today’s regulatory environment, secure data erasure isn’t just good IT hygiene—it’s a statutory mandate. Two major legal frameworks—India’s Digital Personal Data Protection Act (DPDPA) and the EU’s General Data Protection Regulation (GDPR)—have explicitly elevated data disposal to a legal duty. Yes, both the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) also have guidelines and regulations that include data erasure mandates, particularly concerning the secure disposal of data and records. These regulations are in place to ensure data privacy and security within the financial sectors
📜 What DPDPA Says
- Section 8(5)(d) mandates Data Fiduciaries to ensure that personal data is "retained only for as long as is necessary" for the purpose for which it is processed.
- Section 8(7) further requires entities to ensure secure deletion or anonymization once the purpose is fulfilled or retention is no longer necessary.
- Non-compliance can invite penalties under Schedule I, with fines up to ₹250 crore for data breaches stemming from negligence.
This isn’t theoretical. The Data Protection Board of India, once fully functional, is empowered to adjudicate and penalize such lapses.
🇪🇺 What GDPR Requires
- Article 5(1)(e): Personal data shall be "kept in a form which permits identification of data subjects for no longer than is necessary."
- Article 17 (Right to Erasure): Obligates data controllers to permanently erase data upon request, or when it’s no longer needed.
- Recital 39 calls for mechanisms ensuring that data is not kept indefinitely without justification.
Failure to properly erase data can trigger Tier 2 penalties: up to €20 million or 4% of global turnover, whichever is higher.
⚠️ Morgan Stanley: A Case Study in “Almost Right” Gone Horribly Wrong
Morgan Stanley’s mistake wasn’t malice—it was misplaced confidence.
They thought they wiped the drives.
But they didn’t certify it.
The subcontractors mishandled the data, yet accountability still sat with Morgan Stanley as the Data Controller. Regulators don’t care who fumbled the ball—only who owned it. The SEC ruled that the company failed to protect customer data during hardware disposal. The reputational damage was incalculable; the financial damage wasn’t—it was exactly $60 million.
⚠️ Kareena Kapoor - Shahid Kapoor: Mobile Phone Selling with Private Data Gone Horribly Wrong
The leaked 2004 video of Shahid Kapoor and Kareena Kapoor, reportedly showing an intimate moment, underscores the critical importance of secure and certified data erasure. What may have been a personal recording, if not properly deleted or safeguarded, became a viral breach of privacy—leading to emotional distress and long-term reputational consequences. Shahid himself called it a “painful period” where he felt “destroyed.” This incident reminds us that un-erased data, even from decades past, can resurface to cause irreversible damage. Whether for individuals or corporations, failing to erase sensitive data securely isn’t just negligent—it’s potentially devastating.
✅ The Case for Certified Data Erasure
Let’s be clear: deletion is not destruction. Formatting a hard drive or moving files to the Recycle Bin does nothing against modern forensic tools. Even a full format can leave recoverable footprints.
Here’s what Certified Data Erasure means:
- Complete data sanitization using standards like NIST 800-88 or DoD 5220.22-M.
- Tamper-proof audit logs to prove compliance.
- Chain of custody documentation for every device retired.
- Third-party certifications to ensure no data can be reconstructed.
It’s not about being cautious; it’s about being legally defensible.
💰 Why It’s Cheaper to Erase Data Than Face Regulators
| Category | Cost Estimate / Legal Impact (India) |
|---|---|
| DPDPA Penalties | ₹50 crore per instance (approx. $6M) |
| Legal and Compliance Costs | ₹1 crore – ₹25 crore (Litigation, Counsel, RTI/RTIIC hearings) |
| Forensic and Audit Investigations | ₹50 lakh – ₹5 crore (depending on breach size) |
| Loss of Customer Trust | Years of reputational rebuilding or permanent damage |
| Brand Value Erosion | Subjective; potentially hundreds of crores in lost valuation |
| Regulatory Scrutiny (CERT-In / MeitY / SEBI / RBI) | Compliance orders, blacklisting risks, data audit mandates |
A robust data erasure policy, on the other hand, costs a fraction of this and builds cyber resilience and legal defensibility into the lifecycle of your tech assets.
🧭 What Should Indian CISOs and DPOs Do?
- Audit all decommissioning processes—especially those involving storage media.
- Outsource only to certified IT Asset Disposition (ITAD) vendors—ensure they follow NIST/DoD standards.
- Maintain erasure certificates—regulatory inspection or legal defence requires documentary evidence.
- Train your teams—data lifecycle management is as critical as access control or encryption.
- Include erasure policies in your DPDPA compliance framework—make it part of your data protection impact assessments (DPIAs).
Lastly: You Can't Afford to “Think” It’s Deleted
We live in a world where data is both an asset and a liability—like that friend who borrows your car and forgets to return it with fuel. In the age of DPDPA and GDPR, “I think it’s deleted” is the corporate equivalent of “the dog ate my homework.” That excuse won’t hold up in court, and it certainly won’t impress the Data Protection Board or your shareholders.
Remember the Morgan Stanley fiasco? They thought some old hard drives were wiped. Turns out, they were only “wiped with good intentions.” It cost them over $60 million—and a few executive-sized headaches. Learn from their pain; don’t audition for the sequel.
Certified data erasure isn’t just a checkbox or an IT ritual. It’s your firewall against regulatory wrath, reputational ruin, and the kind of PR crisis that makes CEOs break out in hives. It's not about being cautious—it's about being legally sane.
So don’t “think” your data is gone. Know it’s erased. Certified. Auditable. Untouchable. And most importantly—non-leakable.
Any Data Erasure Certifications or DPDPA Certification | DPDPA Consultation | DPDPA Policy making E-mail: info@cyberlawconsulting.com
By: Advocate (Dr.) Prashant Mali
Cyber Law Expert | Data Protection Lawyer | Thought Leader in Cyber, AI & Privacy Law
