Plain-English objective: R2v3 requires you to protect data at every stage—intake, handling, transport, processing, and final disposition—using documented controls that actually work. This guide gives you a practical, audit-ready workflow with sample SOP steps you can adapt immediately.

---

Scope & key definitions (keep these in your SOP)

• Data-bearing asset (DBA): Any device or component that can store data (HDD, SSD, NVMe, mobile, tablet, server, printer/MFP with storage, network gear with flash, DVR, point-of-sale, USB/SD, embedded controllers).
• Sanitization outcomes:
  • Clear: Overwrite data so it cannot be recovered using standard system functions and tools.
  • Purge: Render data unrecoverable using more rigorous techniques (e.g., cryptographic erase, firmware-assisted purge).
  • Destroy: Physically damage media so data is irretrievable (e.g., shredding, crushing, disintegration).
• Verification: Evidence that sanitization achieved the intended outcome (software report, hash check, sample QC, physical fragment size checks).
• Chain of custody (CoC): Continuous control and documented custody from pickup to final disposition.

Add these terms to your Definitions section so employees and auditors share the same language.

---

Roles & responsibilities (assign by job title)

• Intake Technician: Identifies data-bearing items at receipt, applies “DATA-BEARING” labels, triggers secure workflow.
• Data Security Lead (DSL): Owns the SOP, approves methods, maintains approved tool list, reviews exceptions.
• Sanitization Operator: Executes wipe/purge/destroy steps and records serials, method, outcome, and verification.
• QC Auditor: Independently verifies a defined sample or 100% where required; documents pass/fail.
• Logistics/Dispatch: Ensures secure transport, seals, custody logs, and storage area integrity.
• Compliance Manager: Performs internal audits, trend analysis, and CAPA for nonconformities.

Document this RACI in your procedure so it’s unambiguous who does what.

---

Intake-to-Disposition: the required control flow

Why this matters: Most nonconformities happen before or after the wipe—at intake (items missed) and after sanitization (mix-ups, incomplete records). A clean flow prevents both.

1. Pre-intake screening
   • Customer declares if assets are data-bearing; requests desired outcome (reuse with wipe, purge, or destroy).
   • Capture special handling requirements (e.g., encrypted assets, defective drives).
2. Secure intake
   • At receipt, visually and systematically identify DBAs. Use a laminated checklist by asset type.
   • Affix DATA-BEARING label and a unique asset ID. Photograph pallet/serial plates where feasible.
   • Record: customer, pickup manifest, seal numbers, time/date, handler signatures.
3. Controlled storage
   • Move DBAs to a restricted, CCTV-covered area with logged access.
   • Separate unsanitized from sanitized inventory with physical barriers and distinct tags.
4. Method selection (decision tree)
   • Intended reuse/resale: Prefer clear/purge; prohibit physical damage that harms reuse value.
   • High risk, encryption unknown, or device defective: Purge or destroy.
   • Customer-mandated destruction: Destroy regardless of device state.
   • Log the chosen method and rationale.
5. Sanitization execution
   • Use only approved tools/machines listed in your SOP (version-controlled).
   • Capture serial numbers, method, operator, start/end time, result code.
   • For cryptographic erase, record proof that the key was destroyed or reset performed.
6. Verification & QC
   • 100% verification for software-based wipe/purge (attach reports per device).
   • Statistical QC only where justified and documented (e.g., repeated identical media batches).
   • For physical destruction, verify fragment size against your acceptance criteria.
7. Exception handling
   • If a device fails wipe or tool aborts, quarantine and escalate to DSL.
   • Decide re-attempt with alternate method or destroy.
   • Record the exception, corrective action, and final outcome.
8. Final disposition
   • Mark assets as SANITIZED or DESTROYED with visible tagging.
   • Update inventory status; separate storage for post-sanitization goods.
   • Prepare Certificates of Sanitization/Destruction with traceability fields (see template below).
9. Outbound control & records retention
   • For remarketing: ensure no unsanitized DBAs are mixed into outgoing lots.
   • For scrap: ensure destroyed media stays in secure custody until it enters the shredder and is ground to spec.
   • Retain records for your defined retention period (commonly 3–7 years).

---

Sample SOP: Data Security & Sanitization (copy-adapt this)

Purpose
Ensure all data on received DBAs is secured and sanitized in compliance with R2v3 and customer requirements.

Scope
All DBAs handled at [Facility Name], including HDD, SSD/NVMe, mobile devices, printers/MFPs with storage, network devices, USB/SD, DVRs, and embedded flash.

Responsibilities
As listed in Roles & responsibilities above.

Procedure

1. Identification at Intake
   • Use the DBA Identification Checklist for each pallet/skid.
   • Tag suspected DBAs with red DATA-BEARING labels and assign Asset ID.
   • Photograph pallet and serial plates if accessible.
   • Log customer, time/date, receiver signature, and truck seal number.
2. Secure Storage (Pre-Sanitization)
   • Move DBAs to Cage A (restricted access). Log entry/exit in Cage Access Log.
   • Place into bins labeled UNSANITIZED ONLY.
3. Method Selection
   • Review customer instructions and device condition.
   • Select Clear, Purge, or Destroy per the Sanitization Decision Tree.
   • Record decision and operator initials in the Sanitization Work Order.
4. Execution – Clear/Purge
   • Connect device; verify serial in software UI.
   • Start approved wipe or crypto-erase profile.
   • On completion, export verification report; ensure it contains device ID, model, capacity, serial, method, date/time, and result.
   • If failed/aborted, quarantine and notify DSL.
5. Execution – Destroy
   • For HDD: remove from chassis; process through crusher/shredder.
   • For SSD/flash: process via fine shredder or pulverizer meeting your fragment size limit.
   • Record batch ID, input count/weight, start/end time, and operator.
   • Collect fragment samples periodically to verify size.
6. Verification
   • 100% report capture for software methods; store reports against Asset ID.
   • For destruction: perform hourly fragment checks; document results against acceptance criteria.
   • QC Auditor signs Verification Log daily.
7. Exception Handling
   • For any failure: complete Nonconformance Report (NCR) with cause, action, and outcome.
   • DSL approves rework or destruction.
8. Labeling & Segregation (Post-Sanitization)
   • Apply green SANITIZED labels to cleared/purged devices.
   • Move to Cage B (sanitized only). Update inventory status.
9. Certificates & Reporting
   • Generate Certificate of Sanitization/Destruction with customer name, PO/WO, asset list with serials, method, date, operator, and authorization signature.
   • Provide to customer; retain digital copy internally.
10. Records Retention

• Keep all logs, reports, certificates, and photos for [X years] in the Data Security Repository with controlled access.

Acceptance Criteria

• Software wipes: report states PASS and matches serial exactly.
• Crypto-erase: record of successful key destruction/reset.
• HDD destruction: fragments meet or are less than [your mm/in threshold].
• SSD/flash destruction: fragments meet [smaller threshold]; no intact memory packages.
• No unsanitized DBAs in sanitized/outbound areas.

Training & Competence

• New Sanitization Operators require two shadowed shifts and a competency check before solo work.
• Annual refresher covering tool updates and incident lessons learned.

Change Control

• DSL maintains Approved Tool List with version numbers. Any tool/profile change requires a controlled update and staff briefing.

---

Records you must be able to produce on demand (audit-ready)

• Intake Manifest & Seal Log
• Cage Access Logs (pre/post-sanitization)
• Sanitization Work Orders with method and operator
• Verification Reports (one per device for software methods)
• Destruction Batch Records with fragment checks
• Certificates of Sanitization/Destruction tied to asset serials
• Exception/NCR forms with CAPA evidence
• Training records and Approved Tool List (with versions)
• Inventory status reports showing transitions UNSANITIZED → SANITIZED/DESTROYED

Keep these organized by customer → work order → asset ID. Consistent filenames and index sheets save you during audits.

---

Verification strategies that pass scrutiny

• 100% device-level verification for software methods is the cleanest approach.
• Where statistical sampling is justified (e.g., homogeneous batches of identical media processed by a validated, unaltered workflow), document:
  • Sampling plan (e.g., AQL, lot size, sample size).
  • Rationale (history of zero defects, controlled inputs).
  • Escalation rule (any failure → 100% verification and process review).
• For destruction, define objective fragment size limits and measure on a routine cadence (e.g., each batch or every 30 minutes of operation).

---

Common nonconformities—and fast fixes

1. Missed DBAs at intake
   • Fix: Implement a DBA Identification Checklist by device type; retrain intake staff; spot-audit pallets.
2. Serial mismatches between report and label
   • Fix: Require barcode scanning at connect AND at report save; block save if mismatch.
3. Tool version drift (reports don’t match SOP)
   • Fix: Create an Approved Tool List with exact versions; IT locks updates; DSL signs off changes.
4. Mixed sanitization states in one cage
   • Fix: Physical barriers, color-coded bins, daily walkthrough checklist by QC Auditor.
5. Sampling used with no written rationale
   • Fix: Add a one-page Sampling Plan to the SOP; include when it’s allowed, lot definition, and escalation triggers.
6. Certificates lack traceability
   • Fix: Certificates must list asset IDs/serials, method, date, operator; never issue a certificate without that linkage.

---

KPIs for continuous improvement

• Sanitization first-pass yield (%)
• Time per device (software wipe) by media type/capacity
• Exception rate (failed wipes, aborted runs)
• Verification discrepancies (reports missing/mismatched)
• Cage integrity (finds of mis-segregation per month)
• On-time certificate issuance (%)

Review KPIs monthly; create CAPA for trends exceeding your thresholds.

---

Practical setup tips (low cost, high impact)

• Mount a visual workflow board at the cage: UNSANITIZED → METHOD → VERIFIED → SANITIZED/DESTROYED.
• Standardize label colors: red = DATA-BEARING (unsanitized), green = SANITIZED, black/white = inventory only.
• Use barcodes/QRs for asset IDs; scan into the wipe tool to avoid typos.
• Keep a hot-swap cart of adapters (SATA, NVMe, 2.5/3.5, USB docks) to reduce handling delays.
• For SSDs headed to destruction, seal containers immediately post-pull; don’t accumulate loose media on benches.

---

Final checklist (print for the station)

• DBA identified and labeled?
• Asset ID and serial captured?
• Method chosen and recorded (clear/purge/destroy)?
• Wipe/destruction executed using an approved profile/machine?
• Verification report or fragment check completed?
• Exception handled and documented (if any)?
• Status updated to SANITIZED/DESTROYED and assets moved to correct cage?
• Certificate generated and stored?
• Logs filed under the correct customer/WO?

---

Bottom line: If you can prove what happened to every single data-bearing asset—through clear procedures, objective verification, and tidy records—you’ll satisfy R2v3 expectations and build customer trust. Start by adopting the SOP above, tighten your intake controls, require 100% verification for software wipes, and make certificates and logs the natural by-product of doing the work right.