When upgrading tech, attention often centres on rollout, writes The DPO Centre.
Teams prioritise performance gains, enhanced security and operational continuity. Yet while attention shifts to the future, less thought is given to what happens to the devices being retired, even though older hardware may still contain recoverable information. Research suggests this is a larger issue than many businesses realise. A study by the University of Hertfordshireโs Cyber Security Centre found that 65 per cent of discarded devices still contained recoverable data, illustrating how sensitive information can persist long after equipment is considered redundant.
For businesses, this presents a material GDPR risk. Laptops, servers and mobile devices that are decommissioned without proper sanitisation may still hold personal data. If that data can be recovered, organisations may struggle to demonstrate that appropriate safeguards were in place, even where disposal was routine and well intentioned.
This article draws on insights fromย data protection specialists and IT disposal firm, Innovent Recycling, to examine why end-of-life technology remains an under-appreciated compliance exposure, how GDPR principles apply at this stage of the data lifecycle, and what defensible destruction looks like in practice.
References to the GDPR in this article cover both the UK GDPR and EU GDPR. While distinctions exist between the two regimes, they are not material in the context of IT equipment disposal and personal data destruction. Organisations should assess the version applicable within their jurisdiction.
Why IT equipment disposal is a GDPR compliance risk
IT equipment disposal typically sits across multiple functions – IT, facilities, procurement and external recycling partners. Where responsibility is fragmented, oversight can weaken. Removing a device from active service does not remove the data protection obligations attached to the personal data stored on it.
Risk arises where personal data remains accessible on retired hardware. If information can still be recovered – by a subsequent purchaser, an intermediary handler or through improper disposal – organisations may find it difficult to evidence that appropriate technical and organisational measures were in place, as required under the GDPR.
The Information Commissionerโs Office has made clear that electronic records must be destroyed in a manner that prevents disclosure before, during and after disposal. Security obligations therefore persist throughout storage, transport and destruction. Weakness at any stage in that chain can invite regulatory scrutiny, particularly where documentation is incomplete or inconsistent.
GDPR principles that apply to IT equipment disposal
The GDPR does not prescribe specific destruction methods. Instead, it establishes outcome-based obligations: personal data must become irrecoverable, security must be proportionate to risk, and compliance must be demonstrable. The focus is less on the technology used and more on whether the organisation can show that appropriate control was maintained throughout the disposal process.
Several core principles are especially relevant at IT equipment end of life.
Storage limitationย requires that personal data is not retained longer than necessary. When equipment is retired, any remaining data rarely has an ongoing lawful purpose. Allowing information to sit dormant on redundant hardware may amount to unnecessary retention, even if the device is no longer operational.
Accountabilityย requires organisations to demonstrate GDPR compliance. In disposal scenarios, this means verifiable evidence. It is insufficient to assume data has been erased or to rely solely on informal assurances from third parties. Clear documentation and auditable processes are central to defensible governance.
Security of processingย obliges organisations to implement technical and organisational measures appropriate to the risk. Crucially, this obligation continues until the data is genuinely irrecoverable. Personal data remains protected during storage, internal handling, transport and destruction – not only while systems are live.
Processor oversightย becomes relevant where disposal is outsourced. A recycling or destruction provider handling equipment that may contain personal data is likely to be acting as a processor. Controllers must ensure such providers offer sufficient guarantees of compliance, supported by contractual safeguards and oversight mechanisms. Delegating disposal does not delegate responsibility.
Software wiping versus physical destruction
The decision between software wiping and physical destruction is not purely technical; it is a risk assessment exercise. Organisations must consider data sensitivity, device condition, reuse intentions and their broader governance posture when determining the appropriate approach.
Software wiping is typically suitable where devices remain functional and are intended for redeployment or resale. Recognised frameworks such as NIST 800-88 Rev. 2 provide structured guidance on sanitisation methods across different media types. When properly implemented, wiping can support both data protection and sustainability objectives by enabling reuse and reducing electronic waste.
However, sanitisation is not universally reliable. Certain storage media, including some HDDs and SSDs, may contain remnant or inaccessible blocks that are not fully overwritten by standard tools. Damaged or non-functional drives cannot be reliably wiped at all. Where recoverability cannot be confidently excluded, reliance on software methods alone may be difficult to justify under regulatory scrutiny.
Physical destruction is generally more appropriate where devices are damaged, have reached end of life, or contain higher-risk categories of personal data. Methods such as shredding, crushing or degaussing aim to render storage media irrecoverable by design. In higher-risk contexts, this approach may offer greater certainty and clearer evidential support.
Larger organisations often engage specialist providers to ensure consistency, controlled chain of custody and standardised documentation across sites. Smaller organisations may conduct destruction internally, but the evidential burden is no lighter. In-house processes should be recorded with the same discipline as outsourced services, including clear records of method, timing, responsible personnel and confirmation of irrecoverability.
How to securely destroy data on end-of-life IT equipment
Secure destruction begins long before a device is wiped or shredded. From a GDPR perspective, the central issue is control. Personal data stored on retired devices must remain protected from decommissioning until it is demonstrably irrecoverable.
Location is a key consideration. On-site destruction can provide greater assurance in higher-risk scenarios, as devices do not leave organisational control prior to being rendered unusable. Off-site destruction may be appropriate for lower-risk assets, provided robust chain of custody controls govern storage, transport and handling throughout.
Contractual oversight is equally important. Where third parties are involved, organisations should retain the ability to verify compliance, whether through audit rights, reporting requirements or detailed destruction certificates. Without enforceable oversight mechanisms, reliance on supplier assurances alone may prove fragile.
Timing also matters. Extended storage between decommissioning and destruction can increase exposure, particularly if devices containing personal data are held in unsecured or poorly monitored environments. Clear procedures for prompt handling and tracked movement reduce this risk. For organisations operating across multiple sites, consistency becomes a governance issue. Fragmented disposal practices create uneven risk profiles and complicate organisation-wide accountability.
What to look for in a GDPR-compliant destruction provider
Where destruction is outsourced, the arrangement is likely to constitute a processor relationship under the GDPR. The organisation retaining ownership of the data remains accountable for ensuring appropriate safeguards are in place. Selecting a disposal partner is therefore a compliance decision as much as a procurement one.
A defensible provider should be able to evidence structured information security controls. Certifications such as ISO 27001 can indicate the presence of a formalised risk management framework, although accreditation alone may not be sufficient evidence of effective security controls. Lawful handling of electronic waste, including appropriate Environment Agency registration and compliance with Waste Electrical and Electronic Equipment regulations, should also be demonstrable.
The integrity of the chain of custody is critical. From collection through to destruction, documentation should clearly govern transfer, storage and processing. Weakness at any stage – particularly during transport or interim storage – can undermine otherwise robust destruction methods.
Human factors must also be addressed. Personnel handling devices that may contain personal data should be appropriately vetted, and facilities should incorporate controlled access and monitoring to reduce the risk of unauthorised access before destruction.
Guidance from the UKโs National Cyber Security Centre (NCSC), including its recommendations on media sanitisation and the Sanitisation Assurance Scheme, can provide useful benchmarks. While no single accreditation guarantees compliance, layered safeguards and verifiable controls are far easier to defend under scrutiny.
GDPR-compliant IT equipment disposal
Under the GDPR, compliance is assessed not only by intention but by evidence. In IT disposal scenarios, the ability to produce clear, contemporaneous records may be decisive during an audit, investigation or breach enquiry.
A defensible framework typically begins with a formal IT asset disposal policy. This should define when equipment is decommissioned, how personal data is sanitised or destroyed, who is responsible at each stage and how third-party providers are governed. Without documented allocation of responsibility, accountability can quickly become blurred.
Operational records should allow individual devices to be traced through to their final disposal outcome. Asset inventories should link serial numbers and device types to specific sanitisation or destruction actions. Certificates of destruction, where applicable, should clearly identify the asset, method used, date processed and confirmation that data has been rendered irrecoverable.
Where disposal is outsourced, processor contracts and due diligence documentation form part of the evidential picture. Records of Processing Activities should accurately reflect retention and destruction processes, rather than treating disposal as an afterthought. For in-house destruction, organisations should retain staff training records and technical verification evidence, particularly where devices are wiped and reused rather than physically destroyed. Years after a device has left circulation, the organisation may still need to demonstrate how and when its data ceased to exist.
How long should records be kept?
The GDPR does not prescribe specific retention periods for destruction records. However, retaining documentation for at least six years aligns with common UK record-keeping practices.. Certain regulated sectors, including finance and healthcare, may require longer retention.
Destruction is not a single act but part of a controlled data lifecycle. While device disposal may feel operationally routine, evidence of secure handling may be required long after the hardware itself has disappeared.
Conclusion
GDPR-compliant IT disposal is less about the act of destruction itself and more about governance. Organisations that treat end-of-life technology as a structured, auditable stage of the data lifecycle – rather than a peripheral operational task – reduce both regulatory and reputational exposure. By combining proportionate destruction methods, rigorous oversight and robust documentation, businesses can show that personal data remains protected until it is truly irrecoverable. Secure disposal is not merely a technical safeguard; it is a tangible expression of accountability.
