Why Wiping Your Laptop Isn't Enough to Protect Your Business Data

The Myth of "I've Deleted It"

When you delete a file on a Windows, Mac or Linux computer, the file does not disappear. What actually happens is that the operating system marks the space occupied by that file as "available" — but the data itself remains on the drive, intact, until that space is overwritten by something else.

In a busy file system, that overwriting might happen quickly. But it might not happen for months or years. And on a drive that is about to be disposed of, it may never happen at all.

Free data recovery tools — readily available to anyone online — can scan a drive and recover deleted files in minutes. The same tools used by digital forensics professionals are available as consumer software. Your deleted business emails, customer spreadsheets and financial records may be sitting there, fully recoverable, on what you thought was a "wiped" device.

What Happens When You Do a Factory Reset?

A factory reset reinstalls the operating system to its default state. It is designed to make a device feel like new — not to destroy data. In most cases, a factory reset does one of two things:

• Reformats the drive, which marks all space as available but does not overwrite the data
• Reinstalls the OS partition, leaving previous data partitions intact and accessible with the right tools

Multiple academic studies and security research publications have demonstrated data recovery from factory-reset devices. In one well-known study, researchers purchased second-hand Android phones and recovered previous owners' photos, emails and login credentials from devices that had been factory reset before sale. The same applies to Windows and macOS devices.

What About Formatting the Drive?

A quick format — the default option in Windows — marks the file system as empty and rewrites the directory structure, but does not overwrite the underlying data. A full format in older versions of Windows did write zeros to the drive, but modern SSDs handle full format operations differently, and the result is not guaranteed to be as thorough as a dedicated data sanitisation process.

In any case, relying on format operations for business data destruction is not appropriate from a compliance perspective. You cannot obtain a verifiable Data Destruction Certificate for a DIY format, and you cannot demonstrate compliance to the ICO if challenged.

Why SSDs Are Harder to Wipe Than HDDs

Traditional hard disk drives (HDDs) store data on magnetic platters. Overwriting the data on every sector is a well-understood, reliable process. SSDs are different.

SSDs use flash memory and a wear-levelling algorithm that distributes writes across the drive to extend its life. This means that when you "write" to a particular logical address on an SSD, the data may actually be written to a different physical location, with the old data retained in a "reserved" area. This makes complete software-based overwriting of SSDs more complex than HDDs.

The correct approach for SSDs is to use the manufacturer's Secure Erase command (often called ATA Secure Erase or NVMe Sanitize), which is specifically designed to reset the drive at the controller level — or to physically destroy the drive.

What Is NIST 800-88 and Why Does It Matter?

NIST 800-88 is the internationally recognised standard for media sanitisation, published by the US National Institute of Standards and Technology. It defines three levels of sanitisation:

• Clear — logical overwriting techniques that protect against simple data recovery tools
• Purge — more thorough techniques including cryptographic erase and Secure Erase commands, protecting against laboratory recovery attempts
• Destroy — physical destruction rendering the media unusable and data unrecoverable by any means

For most business use cases, Purge-level sanitisation is appropriate for reusable hardware. Destroy is used for highly sensitive environments or hardware that will not be reused. The critical point is that whatever method is used, the process must be verified and documented — not just assumed.

What Certified Data Destruction Looks Like

When Complianta processes a device, the process is structured, verified and documented:

1. The device is received and logged with make, model and serial number
2. The appropriate sanitisation method is selected based on media type (HDD, SSD, NVMe) and client requirements
3. The sanitisation is performed and the result verified — pass or fail
4. If a drive fails to sanitise (e.g. due to a hardware fault), it is physically destroyed instead
5. A Data Destruction Certificate is issued, referencing the serial number, date, method and technician

This certificate is what you file with your GDPR documentation as evidence that data was destroyed in compliance with Article 5(1)(f) — the "integrity and confidentiality" principle.

The Business Consequences of Getting This Wrong

If a device containing recoverable business data reaches the wrong hands after disposal, the consequences can include:

• A mandatory data breach notification to the ICO (if personal data is involved)
• ICO investigation and potential enforcement action, including fines
• Regulatory consequences in specific sectors (finance, healthcare, legal)
• Reputational damage if the breach becomes public
• Liability claims from affected customers or employees whose data was exposed

None of these are hypothetical risks. The ICO publishes its enforcement actions, and a number involve data recovered from improperly disposed hardware.

The Simple Takeaway

Do not rely on delete, format or factory reset as your data destruction method for business devices. Use a certified IT disposal provider, obtain Data Destruction Certificates, and file them. It is simpler and less expensive than you think — and the alternative is not worth the risk.