IT equipment disposal: How to stay GDPR compliant

IT equipment disposal is often treated as a straightforward operational task. However, studies consistently show that discarded hardware frequently still contains recoverable information. Research by the University of Hertfordshire’s Cyber Security Centre found that 65% of second-hand memory cards held recoverable data. 

The General Data Protection Regulation (GDPR) sets clear legal requirements for how organisations handle personal dataInformation which relates to an identified or identifiable natural person.. Organisations are expected to take reasonable steps to delete data when it is no longer accurate or required, and to protect both the data and the equipment used to store it against unauthorised access throughout its lifecycle. 

As equipment refresh cycles become more frequent, disposal decisions are routinely made across IT facilities and procurement teams. This makes clear controls, consistent processes, and defensible documentation essential. 

In this blog, we detail the GDPR risks associated with IT equipment disposal. With industry insights from Jack Cartwright at Innovent Recycling, we cover what compliant decommissioning looks like in practice, and how organisations can evidence secure and accountable disposal.  

Note on GDPR scope: References to the GDPR in this blog cover both the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation).. Whilst there are differences between the two regimes, these are not material to the context of IT equipment disposal and personal data destruction. Organisations should always consider the version of the GDPR that applies in their jurisdiction.  

• Why IT equipment disposal is a GDPR compliance risk 
• GDPR principles that apply to IT equipment disposal 
• Software wiping vs physical destruction 
• How to securely destroy data on end-of-life IT equipment 
• What to look for in a GDPR-compliant destruction provider 
• How to prove GDPR-compliant IT equipment disposal 
• How long should equipment disposal records be kept? 
• FAQs 

Why IT equipment disposal is a GDPR compliance risk 

For many organisations, IT equipment disposal is treated as an operational or facilities task. Once a device is no longer in active use, it is often assumed to be ‘out of scope’ from a data protection perspective. Disposal also introduces operational complexity. It often involves multiple teams, handovers, and external suppliers, which increases the likelihood of gaps in ownership and oversight. 

GDPR risk arises where personal data remains stored on retired equipment that has not been securely sanitised. If that data can still be recovered, organisations may be unable to demonstrate compliance. 

The UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) makes clear that electronic records must be destroyed using methods that prevent disclosure before, during, and after disposal. Where controls are weak, personal data may be recoverable, which creates a risk of unauthorised access and non-compliance with GDPR requirements.  

Guidance from the ICO 

GDPR principles that apply to IT equipment disposal

The GDPR does not dictate how organisations must destroy IT equipment. Instead, it sets out principles-based obligations that shape how disposal decisions should be made. The law focuses on outcomes such as irrecoverability, chain of custody, and accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance., rather than mandating specific processes or data disposal technologies.  

For organisations managing IT equipment disposal, these GDPR principles and obligations are particularly relevant: 

• Storage LimitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed.  
  Personal data must not be kept longer than necessary. Article 5(1)(e) GDPR 
  When equipment reaches end of life, organisations must ensure that any personal data stored on it is securely erased or destroyed. Retired equipment can often contain data but no longer has a lawful purpose, creating compliance risk without any operational benefit.

• Accountability    
  Organisations that decide how and why personal data is processed are known as data controllers. They are responsible for demonstrating compliance with the GDPR through documented processes and records. Article 5(2) GDPR 
  This means it is not enough to assume data has been destroyed or to rely on verbal assurances from suppliers. Organisations need evidence that disposal was carried out securely.

• Security of processing      
  Organisations must implement ‘appropriate technical and organisational measures’ to ensure a level of security appropriate to the risk. Article 32 GDPR 
  Security obligations still apply until data is irrecoverable, including during storage, transport, and destruction. 

• Processor oversight      
  When organisations outsource data processing activities, the third-party acts as a processor under the GDPR. The controller must only use processors that provide ‘sufficient guarantees’ of GDPR compliance. Article 28 GDPR 
  Outsourcing disposal does not transfer accountability, and organisations remain responsible for ensuring providers follow secure, verifiable processes. 

Software wiping vs physical destruction

The choice between software wiping and physical destruction isn’t a technical preference but rather a risk decision. The appropriate method depends on device condition, data sensitivity, reuse intentions, and the organisation’s risk tolerance. 

Software Wiping 

This is best suited for functional devices intended for reuse or resale. Recognised standards include NIST 800-88 Rev. 2, which provides Clear, Purge, and Destroy guidance for different media types. 

Software wiping supports environmental sustainability by enabling device reuse. However, some Hard Disk Drives (HDDs) and Solid State Drives (SSDs) may contain hidden blocks that sanitisation tools cannot overwrite, and non-functional drives cannot be reliably sanitised. 

Physical Destruction

In all cases, destruction must be proportionate to risk. It’s typically appropriate when devices are damaged, at end-of-life, or contain higher-risk personal data such as special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal.... Common methods include shredding (often to 6-10mm particle sizes), crushing, and degaussing for magnetic media. 

For larger organisations, physical destruction is generally delivered at scale through specialist providers. This approach supports consistency across sites, provides clear chain of custody, and standardised documentation. 

Small companies may be able to carry out physical destruction internally, provided it is done using the right methods and controls. Where destruction is performed in-house, it’s essential to document when, how, and by whom, and to retain records confirming that data was rendered irrecoverable. 

How to securely destroy data on end-of-life IT equipment

Secure data destruction is not just about the moment a device is wiped or shredded. From a GDPR perspective, it’s about maintaining control over personal data until it’s irrecoverable. 

Organisations should consider these key factors: 

On-site vs off-site: On-site destruction provides highest assurance. Off-site may suit lower-risk devices with appropriate controls. 

Audit rights: Contracts should allow you to verify compliance. 

Turnaround times: Longer storage periods before destruction may increase risk. 

Geographical coverage: Important for organisations with multiple UK locations. 

Due diligence should prioritise security, documentation, and accountability. The lowest-cost option may not provide sufficient controls. 

What to look for in a GDPR-compliant destruction provider

Where destruction is performed by an outsourced provider, the disposal becomes a processor relationship under the GDPR. This means organisations must select providers that can demonstrate appropriate safeguards and support accountability. 

You should ensure providers can evidence these key areas: 

• Robust information security controls such as ISO 27001 certification  
• Environment Agency waste carrier registration, confirming that equipment is transported and handled lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. and traceably throughout the disposal processA series of actions or steps taken in order to achieve a particular end. 
• Compliance with Waste Electrical and Electronic Equipment (WEEE) regulations 
• Documented chain of custody controls for collection, transport, and storage 
• Appropriate staff vetting, including Disclosure and Barring Service (DBS) checks for personnel handling equipment that might contain personal data  
• Secure facilities such as controlled access and CCTV to reduce the risk of loss, theft, or unauthorised access before destruction takes place 

For organisations seeking extra assurance, guidance from the UK’s National Cyber Security Centre (NCSC) can be helpful, including practical information on secure sanitisation of storage media and its Sanitisation Assurance Scheme (CAS(S)). 

How to prove GDPR-compliant IT equipment disposal 

Clear documentation is essential for demonstrating GDPR compliance. In practice, this starts with a well-defined IT asset disposal policy that sets out when devices are decommissioned, how data is erased or destroyed, who is responsible at each stage, and when third-party providers are used. 

These records are often requested during audits, investigations, or supplier reviews. They form a critical part of demonstrating GDPR accountability: 

• Asset inventories linking devices to disposal actions, including serial numbers, device types, and data classifications 
• Certificates of destruction tied to individual assets, including date, method, device identifiers, and confirmation of irrecoverability 
• Processor contracts where disposal is outsourced, clearly setting out roles, responsibilities, security measures, and oversight arrangements 
• Records of Processing Activity (RoPA) reflecting how disposal is handled, including retentionIn data protection terms, a defined period of time for which information assets are to be kept. and destruction processes 

For in-house disposals, organisations should also retain training records for staff involved and verification evidence confirming data is irrecoverable, particularly where devices are wiped and reused rather than physically destroyed. 

How long should records be kept?

Whilst the GDPR does not specify retention periods for destruction records, retaining documentation for a minimum of six years aligns with UK limitation periods. Some regulated sectors, such as Finance and Healthcare, may require longer.  

Destruction is not a single action but part of a controlled data lifecycle. Evidence may be required years after disposal. 

Data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. and the GDPR: Best practices for compliance 

Frequently asked questions 

Do different data types require different destruction methods? 

Yes. Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) outcomes, data sensitivity, and organisational risk appetiteThe level of risk an organisation or individual is willing to accept before determining it is necessary to reduce that risk. should inform the appropriate level of destruction. 

Is physically damaging a drive ourselves sufficient? 

Typically, no. Informal methods such as drilling holes rarely render data fully unrecoverable and provide no accountability documentation. 

Can devices be reused after software sanitisation? 

Yes. Certified sanitisation allows devices to be safely reused or remarketed, provided records confirm secure erasure. 

How much does GDPR-compliant destruction cost? 

Costs vary by volume, location, and whether destruction is on-site or off-site. Bulk off-site destruction is generally lower cost, whilst on-site shredding involves higher operational expense. 

Need support with data protection compliance or IT equipment disposal? 

The DPO Centre provides expert outsourced data protection services, including fractional Data Protection Officers, to help organisations manage GDPR obligations across the data lifecycle. 

For secure and compliant IT equipment destruction in the UK, Innovent Recycling provides certified data destruction services aligned with GDPR, WEEE, and relevant standards. 

In case you missed it…

• Data retention and the GDPR: Best practices for compliance
• ISO 27701:2025 update: What’s changed and why it matters
• Governing AI agents: What organisations need to consider