Best Practice When Disposing of Business Devices That Contain Company Data

Why Device Disposal Is a Data Protection Issue

When an employee leaves, a laptop is replaced or a server is decommissioned, most businesses think about logistics — who collects it, where it goes. Very few think about what's on it. That's a problem.

Business devices routinely contain years of sensitive information: customer and employee personal data, financial records, confidential contracts, email archives, browser-saved passwords and application credentials. Under UK GDPR, you are the data controller for all of it — and your responsibility for it does not end when the device leaves the building. It ends when that data is provably destroyed.

The ICO is clear on this. Article 5(1)(f) of UK GDPR requires that personal data be processed "in a manner that ensures appropriate security... including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage." Sending a device to landfill, selling it on eBay after a factory reset, or leaving it in a storeroom indefinitely all fail this test.

The Legal Framework: What UK Businesses Must Comply With

• UK GDPR and the Data Protection Act 2018 — require personal data to be securely destroyed when no longer needed, and that you can demonstrate compliance
• WEEE Regulations 2013 — make it illegal to place electrical and electronic equipment in general waste; devices must be handled by a licensed waste carrier
• Environment Agency regulations — require that businesses use licensed waste carriers and obtain Waste Transfer Notes for all WEEE collections

What Does "Secure Disposal" Actually Mean?

Secure disposal means that data on a device cannot be recovered by any means after the process is complete. There are two accepted methods:

1. Data wiping (overwriting)

Software-based data wiping overwrites all storage media with random data, rendering the original data unrecoverable. The recognised standard is NIST 800-88, which specifies the methods and verification required for different types of media. A proper wipe produces a verifiable log confirming the process completed successfully.

Data wiping is appropriate for devices that will be reused or refurbished after disposal.

2. Physical destruction

Physical destruction — shredding, crushing or degaussing the storage media — is the highest assurance method. It is appropriate for highly sensitive data environments, failed drives that cannot be reliably wiped, or where the organisation requires maximum certainty. After physical destruction, a Data Destruction Certificate documents the serial number of each item destroyed and the method used.

The 8-Step Best Practice Process

1. Identify devices for disposal. Maintain an asset register and flag devices that are end-of-life, failed or no longer required.
2. Back up data you need to retain. Before any device is prepared for disposal, ensure all data that needs to be retained has been backed up to your systems or cloud storage.
3. Sign out of all business accounts. Deregister the device from Microsoft 365, Google Workspace, Apple Business Manager or any MDM platform. Revoke certificates and licences.
4. Do not factory reset — contact a certified disposal provider. Once you have backed up what you need, the device should go directly to a certified IT disposal provider. Do not perform a factory reset and consider the data destroyed.
5. Use a licensed waste carrier. Your disposal provider must hold an upper-tier Environment Agency Waste Carrier Licence. Ask to see it. You are legally responsible for ensuring your waste is handled correctly.
6. Obtain a Data Destruction Certificate. For every device, you should receive a signed certificate confirming the make, model, serial number, date of destruction and method used. This is your ICO audit evidence.
7. Obtain a Waste Transfer Note. This documents the legal transfer of responsibility for the WEEE from your business to the licensed carrier. Keep it for at least two years.
8. Update your asset register. Mark each disposed device as destroyed in your asset register, with the date and reference to the destruction certificate. Your GDPR Records of Processing Activities (RoPA) should reflect that these devices and their data have been securely disposed of.

Special Considerations

Mobile phones and tablets

Mobile devices often contain more sensitive data than laptops — emails, contacts, WhatsApp business conversations, authenticator apps and cloud-synced files. The same certified destruction process applies. Remove SIM cards before handover.

Removable media

USB drives, external hard drives and SD cards are easily overlooked. Any removable media used for business purposes must be tracked and destroyed in the same way as internal drives. They should not be binned or left in drawers.

Printers and photocopiers

Modern networked printers and photocopiers contain internal hard drives that store copies of every document scanned, printed or faxed. This is a frequently overlooked source of data exposure. Before disposing of any multifunction device, ensure the internal drive is included in the destruction process.

Servers and NAS devices

Server disposal requires particular care given the volume and sensitivity of data typically held. Physical destruction of drives is often the preferred approach for decommissioned servers. Ensure all RAID arrays are fully covered — destruction of one drive in a RAID set does not destroy the data.

Documentation to Keep on File

• Data Destruction Certificate (per device) — keep indefinitely or for the duration of your data retention policy
• Waste Transfer Note — keep for a minimum of 2 years (legal requirement)
• Updated asset register entries with disposal dates and certificate references
• Record of disposal in your GDPR Records of Processing Activities