Tech-for-good · London

What happens to your data when you recycle a computer?

When you recycle a computer, the data stored on its hard drive or SSD does not disappear — it remains on the storage medium until it is deliberately and permanently destroyed. Without certified data destruction before recycling, personal or business data can be recovered from a donated or recycled device by anyone with basic recovery software.

Business tech → someone's new start

Certified data destruction
WEEE-registered
Fully insured
Proudly London

One problem on each side. One simple loop.

The UK throws away around 1.65 million tonnes of electronic waste a year — the fastest-growing waste stream. At the same time, up to 19 million adults live in digital poverty, without the device they need to work, learn or stay connected.

Too much waste

Working devices stockpiled or sent to landfill, while their value and materials are lost.

Too little access

Millions can't afford a device to get online, find work, or reach health and public services.

Recycle4Charity closes the loop: redundant business tech becomes someone's new beginning.

For business

Compliant, certified IT disposal with zero hassle — and a social-impact report you can use.

For people

Free, refurbished devices for digitally-excluded Londoners, through trusted local partners.

For the planet

Every device reused or responsibly recycled. Less landfill, lower carbon.

How it works

1

Book a collection

Tell us roughly what you have.

2

We collect & log

We pick up and record every asset.

3

Certified data wipe

Secure destruction + a certificate.

4

Refurbish & rehome

Reuse what we can, recycle the rest.

5

Your impact report

Proof of where it all went.

Our impact so far

0
Devices rehomed
0
People connected
0
E-waste diverted
0
CO₂ saved

Launching 2026 — numbers update as we grow.

Frequently asked questions

No. Deleting files removes their entry in the file system index but leaves the data itself on the drive. Recovery software can retrieve deleted files in minutes. Only certified overwriting (wiping) or physical shredding permanently removes the data.

The data remains on the drive, accessible to whoever next has physical possession of it. If that data includes personal information, the organisation that owned the computer may be liable under UK GDPR for a data breach. The ICO can investigate and impose fines.

No. You must wipe the drive before donating, using certified overwriting software, or arrange for the charity or ITAD provider to wipe it before distribution. Donating a computer with data on the drive — even if you intended to delete it — can constitute a data breach.

Yes. Physical shredding destroys the storage medium regardless of type, including SSDs, because it physically fragments the NAND flash chips. Degaussing, by contrast, does not work on SSDs.

Ask for a certificate of data destruction for every collection, listing each device by serial number and specifying the method and standard applied. A reputable provider will issue this as standard. If a provider cannot or will not provide this documentation, that is a significant compliance risk.

Upgrading your office IT?

Turn your old kit into compliance, ESG impact and digital opportunity for someone who needs it.

The problem with “recycled” computers

When an organisation retires a computer — a desktop, laptop, or server — and sends it to a recycling centre or donates it, the assumption is often that the device is blank. It rarely is.

Research by independent security organisations over many years has found personal data — sometimes including financial records, medical files, and login credentials — on computers purchased second-hand from online marketplaces, charity shops, and IT resellers. The previous owners believed their data had been removed. In many cases, the drives had only been formatted, or the operating system had been reinstalled.

A formatted drive is not a wiped drive. A reinstalled operating system does not remove the data underneath it. Recovery tools — available free online — can retrieve files from drives that have been formatted, deleted, or even had a new operating system installed.

What data is typically at risk?

A business computer reaching end of life may contain:

  • Customer and client records (names, addresses, contact details, purchase history)
  • Employee personal information (payroll data, HR records, performance reviews)
  • Financial data (invoices, bank details, accounting records)
  • Intellectual property (contracts, proposals, internal strategy documents)
  • Credentials and authentication tokens (saved passwords, VPN certificates, session data)
  • Email archives containing any or all of the above

Under UK GDPR and the Data Protection Act 2018, personal data in any of these categories is subject to legal protection. Allowing it to leave your organisation’s control on an unwiped device constitutes a data breach — and could result in enforcement action by the Information Commissioner’s Office (ICO).

What happens to data during the recycling process?

This depends entirely on the recycling route you use.

General WEEE recycling without data destruction:
If a device is sent to a general e-waste recycler that does not offer data destruction, the drive will typically be removed and shredded along with other materials — but only after the device has passed through a facility where other people handled it. The data risk during that transit period is real.

Refurbishment and resale:
Some recyclers refurbish computers and resell them. If the drive is not wiped before refurbishment, the new user may be able to access the previous owner’s data. Reputable refurbishers wipe drives as a matter of course, but standards vary widely.

Donation without data destruction:
Computers donated to schools, charities, or community groups are sometimes set up directly without the previous user’s data having been removed. This is a well-documented source of data breaches in the charitable sector.

Certified IT asset disposal (ITAD):
A certified ITAD provider carries out data destruction — either wiping or shredding — before the device enters the recycling or refurbishment stream. The provider issues a certificate of data destruction as evidence. This is the only route that provides compliance assurance.

What should happen before a computer is recycled?

Before any computer leaves your organisation’s control, the following must occur:

  1. Data destruction: The drive must be wiped to a certified standard (NIST SP 800-88 or NCSC guidance) or physically shredded. Deletion and formatting are not sufficient.
  2. Verification: For software wiping, a verification report must confirm every sector was overwritten. For shredding, the chain of custody must be documented.
  3. Documentation: A certificate of data destruction must be issued and retained as compliance evidence.
  4. WEEE-compliant disposal: The hardware must be routed to an authorised treatment facility under the WEEE Regulations 2013, not sent to general waste.

For a step-by-step guide to wiping a laptop specifically, see our article on how to wipe a laptop before recycling.

Does the type of storage affect the risk?

Yes, significantly.

Traditional hard drives (HDDs): Data is written magnetically to spinning platters. Standard deletion leaves the data fully intact. Certified software wiping or physical shredding addresses this reliably.

Solid-state drives (SSDs): Data is stored in NAND flash memory. Standard overwrite tools may not reach all storage areas due to wear levelling. Certified firmware-level commands (ATA Secure Erase, NVMe Sanitise) or physical shredding are required. Degaussing has no effect on SSDs.

Hybrid drives: Contain both a magnetic platter and flash cache. Both components require treatment.

Understanding which type of drive a computer contains is the first step in selecting the appropriate destruction method.

The accountability gap in common practice

Many businesses believe they are compliant because they have “recycled” their old computers through a local scheme or donated them to charity. The accountability gap is this: unless they have a certificate of data destruction — a document recording what was destroyed, how, and when — they cannot demonstrate compliance if challenged.

The ICO’s accountability principle is explicit: data controllers must be able to demonstrate that they comply with the data protection principles, not simply assert it. “We recycled the computers” is an assertion. A certificate of data destruction is evidence.

For more on what the certificate should contain, see our guide to certificates of data destruction.

How Recycle4Charity handles data when recycling a computer

Recycle4Charity is a London-based Community Interest Company that collects computers and other IT equipment from businesses, carries out certified data destruction — wiping or shredding as appropriate — and issues a certificate of data destruction for every collection. Devices that pass wiping and a hardware quality check are donated free to digitally-excluded Londoners. Those that cannot be refurbished are recycled through WEEE-compliant routes.

Visit our data destruction for business page to find out more, or contact us to arrange a collection.

Why standards matter

Saying that data has been “destroyed” or “wiped” is not sufficient for compliance. UK GDPR’s accountability principle requires organisations to demonstrate compliance, not just assert it. That means being able to point to a specific, recognised standard that was applied, and to a verification record showing the standard was met.

Standards serve a second purpose: they resolve technical ambiguity. Questions such as how many overwrite passes are needed, which commands to use for SSD sanitisation, and what fragment size is required for shredded magnetic media — all of these have specific answers within recognised frameworks. Following a standard removes guesswork and gives auditors and regulators a common reference point.

For a broader introduction to the data destruction process, see our guide to what is secure data destruction.

NIST Special Publication 800-88 (Guidelines for Media Sanitisation)

NIST SP 800-88 is published by the National Institute of Standards and Technology in the United States and is the most widely cited international standard for media sanitisation. It is used extensively by UK private sector organisations and ITAD providers, and it is referenced by the ICO in its guidance on data deletion.

The three sanitisation levels

NIST SP 800-88 defines three levels of sanitisation:

Clear: Applies logical techniques to sanitise data in all user-addressable storage locations. For an HDD, this means overwriting the entire drive. For an SSD, it means using the ATA Secure Erase or NVMe Sanitise command. Clear is appropriate for media being reused within the same security domain.

Purge: Applies more rigorous techniques that render recovery infeasible even with state-of-the-art laboratory methods. For SSDs, Purge requires Secure Erase with an Enhanced Security Erase option, or NVMe Sanitise (Overwrite or Block Erase). For magnetic drives, Secure Erase or degaussing achieves Purge level. This is the level required for media leaving an organisation’s control.

Destroy: Physical destruction of the media. Disintegration, shredding, or incineration to the point where the storage medium cannot function as such. For highly sensitive data or end-of-life media with no residual value, physical destruction provides the strongest assurance.

Key points from NIST SP 800-88

  • A single overwrite pass is sufficient for modern drives. Multiple passes (seven, 35) are not required and are not recommended for contemporary media.
  • Degaussing achieves Purge level for magnetic drives but is completely ineffective for SSDs and flash memory.
  • All sanitisation activities should be documented, including the method, the tool used, the media identifier, and the person who performed the sanitisation.
  • The standard includes decision trees for selecting the appropriate sanitisation level by media type.

NCSC secure sanitisation guidance

The National Cyber Security Centre (NCSC) publishes guidance on secure sanitisation of storage media aimed at UK organisations, including businesses and public sector bodies. The NCSC guidance is broadly aligned with NIST SP 800-88 but uses UK terminology and is framed around the UK government’s security classification scheme.

Key points from NCSC guidance include:

  • Different sanitisation methods are appropriate for different media types. SSDs and flash memory cannot be degaussed and require firmware-level commands or physical destruction.
  • Physical destruction should render media unrecoverable to a level appropriate for the classification of data held.
  • Organisations should keep records of sanitisation activity, including the media identifier, method, date, and operator.
  • Where a product or service is used, organisations should be confident that it implements the required standard correctly — not simply accept marketing claims at face value.

The NCSC does not operate a formal product approval scheme for commercial ITAD services, but it does publish lists of assured products and services in relevant assurance programmes that organisations may wish to consult.

HMG IA Policy No.5 (Secure Sanitisation of Protectively Marked or Sensitive Information)

HMG IA Policy No.5 is a UK government policy that sets mandatory requirements for the sanitisation of media holding government-classified information (OFFICIAL, SECRET, and TOP SECRET under the Government Security Classifications). It specifies:

  • Required sanitisation methods for each classification level
  • Particle size requirements for physical destruction (expressed as maximum dimensions for shredded fragments)
  • Overwrite parameters for software sanitisation
  • Requirements for degaussing equipment

HMG IA Policy No.5 applies directly to government departments, agencies, and contractors handling classified information. For organisations that hold government contracts or process data classified under the scheme, the policy requirements are mandatory, not advisory.

The specific values — overwrite passes, particle sizes, degausser field strengths — are set out in the policy document, which is published by the Cabinet Office (see the NCSC secure sanitisation guidance at ncsc.gov.uk for current technical requirements).

Other relevant standards

ICO guidance on data deletion

The Information Commissioner’s Office publishes guidance on the secure deletion of personal data. It does not prescribe specific technical standards but expects organisations to follow recognised best practice, which in the UK context means NCSC guidance or NIST SP 800-88.

ISO/IEC 27001 and 27040

ISO/IEC 27001 (information security management systems) includes controls relating to media disposal, and ISO/IEC 27040 addresses storage security, including sanitisation. Organisations certified to ISO 27001 are expected to have documented and implemented media disposal procedures.

BS EN 15713 (Secure Destruction of Confidential Material)

This British Standard covers the secure destruction of confidential material, including procedures for mobile and off-site destruction services. It specifies particle sizes for different security grades and is relevant to providers of physical shredding services.

Which standard applies to your business?

Organisation type Applicable standard(s)
Private sector — personal data under UK GDPR NIST SP 800-88 and/or NCSC guidance
Public sector — government data NCSC guidance + HMG IA Policy No.5
Government contractor — classified data HMG IA Policy No.5 (mandatory)
ISO 27001 certified ISO 27001 Annex A + NIST SP 800-88 / NCSC
Healthcare (NHS) DSPT requirements + NCSC guidance
Financial services (FCA regulated) FCA operational resilience + NIST SP 800-88

For most UK businesses, NIST SP 800-88 applied by a certified ITAD provider, with NCSC guidance as the UK-specific reference, is the appropriate framework. The certificate of data destruction issued by the provider should name the standard applied.

For more on how these standards apply in practice, see our guide to data wiping vs shredding vs degaussing.

Recycle4Charity provides certified data destruction for London businesses, applying recognised standards and issuing a certificate of data destruction for every collection. Visit our data destruction for business page to find out more, or contact us to discuss your specific compliance requirements.

Why data centre decommissioning requires a formal process

A data centre holds more sensitive data per square metre than almost any other part of a business. Servers, storage arrays, network equipment, and even decommissioned UPS units may hold personal data, commercially sensitive information, or cryptographic material.

UK GDPR and the Data Protection Act 2018 require organisations to remain accountable for personal data until its verified destruction. The WEEE Regulations 2013 require that electrical equipment is disposed of through authorised channels. A decommission without documented process leaves your organisation exposed on both fronts.

The checklist below applies whether you are decommissioning a single server room, vacating a co-location facility, or retiring a full on-premises data centre.

The data centre decommissioning checklist

Phase 1: Planning and scoping

  1. Appoint a project owner. Assign a named individual responsible for sign-off at each stage. This person owns the audit trail.
  2. Inventory all assets. Conduct a full physical audit. Record every asset: serial number, make, model, location, and data classification of workloads previously hosted. Cross-reference against your configuration management database (CMDB) — discrepancies are common and must be resolved before disposal begins.
  3. Classify data by sensitivity. Identify which devices held personal data, financial records, or other regulated information. Data classification drives the destruction method required.
  4. Confirm dependencies. Verify that all workloads have been migrated or decommissioned before any hardware is touched. Premature disconnection of a live system can cause outages.
  5. Engage your ITAD provider early. Share your asset inventory with a certified IT asset disposal provider before the project starts. They can advise on data destruction methods, logistics, and documentation requirements. Our data centre IT recycling service is specifically designed for projects of this scale.

Phase 2: Data security

  1. Back up any data you intend to retain. Confirm backups are complete and verified before touching hardware.
  2. Revoke all active credentials and API keys associated with decommissioned systems. Update your identity management systems.
  3. Remove encryption keys from hardware security modules (HSMs) and TPM chips. Document this step with timestamps.
  4. Agree a data destruction standard. For overwriting, common standards include HMG Infosec Standard 5 and NIST 800-88. For physical destruction, confirm the shred size and the certification your provider issues. High-security environments may require on-site destruction — discuss this with your ITAD provider.
  5. Do not rely on factory resets alone. Factory resets on servers, storage arrays, and networking equipment do not reliably overwrite all data. Certified software erasure or physical destruction is required.

Phase 3: Physical removal

  1. Label and bag each asset individually. Maintain the link between physical device and serial number throughout transit. Tamper-evident bags or cages prevent unauthorised access.
  2. Document chain of custody at every transfer. A signed manifest should accompany every pallet or cage. Record who collected, when, and what vehicle registration was used.
  3. Handle specialist equipment separately. UPS batteries, cooling units, and cabling infrastructure follow different disposal routes. Confirm your ITAD provider can handle all asset types — or arrange separate streams.
  4. Photograph the empty racks before leaving the facility. This protects you if a dispute arises over what was collected.

Phase 4: Certified processing

  1. Confirm your ITAD provider is an authorised treatment facility (ATF) approved under the WEEE Regulations 2013. Ask for their registration number.
  2. Receive data destruction certificates for every storage-bearing device. Each certificate should cite the device serial number, destruction method, standard applied, and technician signature.
  3. Receive a full asset disposition report. This lists every serial number and its outcome: wiped and reused, donated, disassembled, or recycled.
  4. Obtain a WEEE transfer note. This is your legal evidence that electrical waste was transferred to an authorised facility.

Phase 5: Closure and reporting

  1. Update your asset register. Remove all decommissioned serial numbers and mark them as disposed with the date and method.
  2. File all certificates and transfer notes in your compliance records. ICO guidance on data security recommends retaining these for the duration of your data retention policy, and typically a minimum of three to five years.
  3. Notify relevant parties. If the data centre processed personal data on behalf of clients, notify them that destruction is complete and provide certificates as required under data processing agreements.
  4. Conduct a post-project review. Identify any gaps between the CMDB and the physical inventory found. Update asset tracking processes before your next refresh cycle.

Common mistakes to avoid

Most decommissioning failures come from the same sources: assets not captured in the original inventory, destruction certificates not requested or not retained, and WEEE documentation not obtained because the project moved too fast.

A rushed decommission that skips documentation can result in ICO enforcement action if a data breach is later traced to a disposed device. The ICO has fined organisations for inadequate data destruction practices — the evidence standard it expects is a certificate, not an assurance.

For an overview of what to expect from a certified server recycling service, read our dedicated guide on that topic.

Ready to plan your decommission? Talk to our data centre team for a scoping conversation and asset inventory support.

How IT Disposal Becomes a Data Breach

The connection between IT disposal and data breach is straightforward: when a device is retired and passes out of an organisation’s control — to a recycler, a second-hand market, a landfill or even a member of staff — any personal data remaining on its storage media is potentially accessible to whoever obtains the device.

Unlike a cyberattack, which requires an attacker to penetrate live systems, an IT disposal breach requires only that someone obtain a physical device and use widely available recovery software. Standard file deletion and drive formatting leave data recoverable. Even devices that appear blank often yield large amounts of data when examined by researchers using basic tools.

Researchers and journalists have repeatedly demonstrated this by purchasing second-hand hard drives from online marketplaces and finding detailed personal records: customer databases, employee files, medical records, financial correspondence and login credentials. When these findings are published, the organisations identified face ICO investigations.

What Makes IT Disposal Breaches Distinctive

Data breach risks from IT disposal differ from other types of breach in several important ways:

  • They are preventable: unlike a sophisticated cyberattack, a disposal breach can be entirely avoided by following a documented destruction process.
  • They are often discovered late: an organisation may not know a breach has occurred for weeks or months, until data appears publicly or a third party reports it.
  • They may be large in scale: a single server or file store can contain the records of thousands or tens of thousands of individuals.
  • They affect individuals who may have no current relationship with the organisation: customer data from years or decades past may still be on a device being retired today.

Devices Most Commonly Involved in Disposal Breaches

Device type Why it poses a risk
Desktop computers and laptops Used by employees over many years; contain documents, emails, credentials
Servers Hold databases, application data, backups — often very large volumes of personal data
Mobile phones and tablets Contact lists, emails, messaging apps, authentication apps, browser data
Printers and photocopiers Internal drives retain copies of scanned, printed and faxed documents
USB drives and backup tapes Portable; easily overlooked when auditing assets for disposal
Network switches and routers May hold configuration files containing credentials and internal network data

Photocopiers and multi-function devices deserve particular attention. Many organisations are surprised to learn that a standard office photocopier has an internal hard drive that stores images of every document scanned, copied or printed. Organisations that return leased photocopiers without clearing this drive routinely expose months of confidential correspondence.

What UK GDPR Requires When a Disposal Breach Occurs

Under UK GDPR Article 33, a personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of the organisation becoming aware of it. A disposal breach — where personal data on a retired device has been, or may have been, accessed — will almost always meet this threshold.

The notification to the ICO must include:

  • a description of the nature of the breach, including the categories and approximate number of individuals and records affected
  • the contact details of the data protection officer or other contact point
  • a description of the likely consequences of the breach
  • a description of the measures taken or proposed to address the breach

Where the breach is likely to result in a high risk to individuals — for example, where financial data or special category data (health, biometric, criminal) has been exposed — those individuals must also be notified directly under Article 34.

The ICO’s Response to Disposal Breaches

The ICO treats IT disposal breaches seriously, particularly where they result from a failure to implement reasonable processes. Organisations that had no documented disposal procedure, did not obtain certificates of data destruction, or did not train staff on disposal obligations are in a weaker position than those that had appropriate processes in place.

Key aggravating factors the ICO considers include:

  • No written IT asset disposal policy
  • No due diligence on the ITAD provider used
  • No certificate of data destruction obtained
  • Previous warnings or incidents not addressed
  • Failure to notify the ICO promptly

Mitigating factors include prompt notification, full cooperation with the investigation, remediation steps taken quickly, and evidence that the organisation had appropriate policies in place that were not followed in the specific incident.

Under the DPA 2018 and UK GDPR, fines for the most serious infringements can reach £17.5 million or 4% of global annual turnover.

Building a Process That Prevents Disposal Breaches

Preventing data breach risks from IT disposal requires a documented, auditable process — not ad hoc decisions made by whoever happens to be clearing out equipment.

The key elements of a robust disposal process are:

  1. Asset tracking: maintain an accurate register of all IT assets, including their data classification and location. You cannot dispose of equipment safely if you do not know what you have.
  2. Defined triggers: specify the conditions — end of life, staff departure, office move, lease expiry — that trigger the disposal process.
  3. Certified data destruction: engage a reputable ITAD provider that uses certified data wiping (to a standard such as NIST 800-88) or physical destruction, and provides a certificate of data destruction for each device.
  4. Chain of custody: maintain documentation of the device from collection to destruction. Gaps in the chain of custody are a source of both breach risk and accountability failure.
  5. Record retention: retain certificates of data destruction and asset disposal records to satisfy the accountability principle.

Organisations that have previously experienced a disposal-related incident should review their process end to end and document what has changed.

Learn more about how certified data destruction works on our data destruction service page, and read our guide to GDPR data disposal duties for a step-by-step overview of your legal obligations.

To arrange secure disposal of end-of-life IT equipment for your organisation, contact Recycle4Charity.

Why Cleaning Before Donation Is Important

A laptop you donate may pass through several pairs of hands — a refurbisher, a volunteer, and eventually the recipient. Any personal data still on the drive — documents, passwords saved in a browser, email, banking details — could be accessed by anyone who handles the device.

Simply deleting files is not sufficient. Even formatting a drive does not guarantee data is gone. The only reliable approach is a full factory reset with data overwrite, or a certified data wipe using specialist software.

If you are not able to do this yourself, do not let that stop you donating. Recycle4Charity performs certified data destruction on every device we receive — you can donate the laptop as-is and we handle it securely. Find out more on our donate page.

Step 1: Back Up Anything You Want to Keep

Before wiping the device, save everything you want:

  • Documents, photos, and downloads to an external drive or cloud storage
  • Browser bookmarks (export from your browser’s settings menu)
  • Software licence keys (check your email inbox for original purchase confirmations)
  • Any locally saved passwords — export from your password manager or browser

Once the wipe is complete, nothing can be recovered.

Step 2: Sign Out of All Accounts

Sign out of every account tied to the device before resetting it. Failing to do this can leave accounts connected even after a reset.

Essential sign-outs:
– Apple ID / iCloud (on MacBooks: System Preferences → Apple ID → Overview → Sign Out)
– Microsoft account (Windows: Settings → Accounts → Your Info → Sign out)
– Google account (Chrome browser: profile icon → Sign out)
– Dropbox, OneDrive, and any other cloud sync services
– Any business VPN or remote access software

Step 3: Perform a Full Factory Reset

Windows 10 / Windows 11

  1. Open SettingsSystemRecovery
  2. Under “Reset this PC,” click Get started
  3. Choose Remove everything
  4. Select Remove files and clean the drive (not just “Remove files” — this overwrites the data)
  5. Confirm and allow the process to complete (this can take 1–3 hours)

macOS (Monterey 12.0 and later)

  1. Open System PreferencesGeneralTransfer or Reset
  2. Click Erase All Content and Settings
  3. Follow the prompts — macOS will sign you out of Apple ID automatically

macOS (Big Sur 11 and earlier)

  1. Restart in Recovery Mode: hold Command + R during startup
  2. Open Disk Utility → select your startup drive → Erase
  3. Format as APFS or Mac OS Extended (Journaled)
  4. Quit Disk Utility and select Reinstall macOS

Chromebook

  1. Sign out of your Google account
  2. Press Ctrl + Alt + Shift + R at the sign-in screen, or go to Settings → Advanced → Reset Settings → Powerwash
  3. Confirm and restart

Step 4: Verify the Wipe Completed Correctly

After the reset:
– The laptop should boot to a “Welcome” or setup screen as if it were new
– No user accounts, files, or installed applications should remain
– On Windows, confirm by completing a brief setup without signing in to a Microsoft account, then checking that Documents, Desktop, and Downloads folders are empty

Step 5: Physical Cleaning

A clean laptop is easier to refurbish and better for the person who receives it.

What you will need:
– Microfibre cloth
– Isopropyl alcohol (70% concentration) or screen-safe wipes
– Compressed air canister (optional but useful)

How to clean:

  1. Power off and unplug the laptop completely
  2. Keyboard: Use compressed air to blow out crumbs and debris between keys. Wipe the keycaps with a slightly dampened microfibre cloth
  3. Screen: Wipe gently with a dry microfibre cloth in circular motions. For smears, use a screen-safe wipe — never spray liquid directly onto the screen
  4. Lid and base: Wipe down with a microfibre cloth dampened with isopropyl alcohol. Pay attention to corners and vents
  5. Ports: Use a dry cotton swab to gently clean USB ports and headphone sockets
  6. Vents: Blow compressed air through the vents to clear dust — a dusty laptop runs hot and shortens component life

What to Include — and What to Leave Out

Include Leave out
Charger / power adapter Laptop bag or sleeve
Original box if available USB drives or SD cards
Any accessories that came with the laptop Old software discs

The charger is the most important accessory. A matching, working charger makes the device complete for the recipient and reduces costs for the charity.

Can Recycle4Charity Wipe the Laptop for Me?

Yes. If you cannot perform a factory reset — because you have forgotten the password, the operating system will not load, or you simply are not sure how — donate the laptop to us anyway. Every device Recycle4Charity receives is data-wiped to an ADISA-certified standard before anyone works on it. We issue a certificate of data destruction on request.

This means businesses and individuals with GDPR concerns can donate with confidence. For more on this, see our article on how to donate a laptop to charity, which covers the full donation process from start to finish.

Ready to donate your cleaned-up laptop? Book a free collection or drop-off — we handle the rest.

What is a linear economy?

The linear economy is the dominant model of the 20th century and, in most sectors, still the default today. Raw materials are extracted from the earth, manufactured into products, sold to consumers or businesses, used for a period, and then discarded. In economic terms, it is sometimes called the “take, make, waste” model.

For IT equipment, this plays out in a familiar cycle. A business buys new laptops. After three or four years, they are retired — sometimes because they have stopped working, more often because they feel slow compared to newer models. They go into a skip, a general waste stream, or — at best — a recycling bin that may or may not handle them correctly. The materials inside them are largely lost.

This model worked tolerably well when populations were smaller, materials were cheap, and the consequences of waste were less visible. None of those conditions hold today.

What is a circular economy?

A circular economy is designed to keep products, components, and materials in use for as long as possible, recovering value at every stage rather than discarding it. The Ellen MacArthur Foundation, which has led global circular economy thinking since 2010, describes it as a system that “decouples economic activity from the consumption of finite resources.”

In the circular model, the end of one product’s life is the beginning of another’s. A retired laptop can be refurbished and given to someone who needs it. If refurbishment is not possible, components can be harvested for repair of other devices. If components cannot be reused, materials can be recovered through certified recycling. At no stage does the device simply disappear into a waste stream.

Circular vs linear economy: a comparison

Dimension Linear economy Circular economy
Core logic Take, make, waste Reduce, reuse, recycle
Resource use Extract continuously Recover and recirculate
Product design Optimised for manufacture Optimised for longevity and disassembly
End of life Disposal Recovery and re-entry
Value model New = better Extended life = value
Environmental impact High and cumulative Reduced through closed loops
IT example Buy new laptop; skip old one Refurbish; donate; recycle certified
Business risk Supply chain volatility; regulatory exposure Greater resilience; ESG credentials

Why does the distinction matter for IT?

Electronics are among the most resource-intensive products made. A single laptop requires approximately 800 kg of raw materials to manufacture, including metals mined from some of the world’s most ecologically sensitive regions. The carbon emissions embedded in manufacturing a new device typically dwarf the emissions from using it over its operational life.

Yet the linear model encourages businesses to retire devices on a fixed schedule — often driven by manufacturer warranty cycles rather than actual device condition. Devices that still function are discarded because the administrative convenience of buying new outweighs the perceived value of extending existing ones.

The circular model challenges this. It asks: is this device genuinely at end of life, or is it simply at the end of a contract? Can it be refurbished for another three years? Can it serve another user — perhaps in a school, a charity, or a community organisation — at no cost to them?

How does Recycle4Charity apply circular thinking to IT?

Our model is built explicitly on the circular principle that reuse is preferable to recycling, and recycling is preferable to disposal.

When a London business retires a batch of laptops, desktops, or mobile devices and sends them to us, every device is assessed individually. Those that are functional — or can be repaired — are wiped securely, refurbished, and donated free of charge to digitally excluded Londoners. Those that cannot be refurbished are processed by certified WEEE recyclers who recover metals and materials rather than sending them to landfill.

The result is a measurable circular outcome: fewer new devices needed, fewer raw materials extracted, fewer emissions from manufacturing, and real technology access for people who would otherwise go without.

This is the practical difference between the linear and circular model in action. The linear approach says: buy new, dispose of old. The circular approach says: extend life, recover value, share access.

What are the barriers to circularity in IT?

Shifting from a linear to a circular approach is not without friction.

Data security concerns are the most common objection. Businesses worry that refurbished devices might retain sensitive data. Certified ITAD providers address this through documented data destruction processes — including software wiping to NCSC-approved standards and physical destruction where required — and issue certificates of data destruction for every asset.

Administrative complexity can deter businesses from engaging with refurbishment programmes. A good ITAD partner removes this barrier with collection logistics, asset tracking, and documentation handled end to end.

Procurement habits are harder to shift. Many organisations default to buying new because the process is familiar and the approval pathway is established. Circular procurement — buying refurbished, specifying longevity in contracts, planning for device recovery — requires a deliberate policy decision.

Each of these barriers is surmountable. The regulatory direction of travel — including the UK’s Environmental Reporting Guidelines and the growing prominence of ESG disclosure — is pushing businesses towards the circular model whether they are ready or not.

Explore the social and environmental impact of circular IT at Recycle4Charity, or read about what the circular economy means in practical terms for organisations managing IT assets.


Moving from linear to circular IT disposal starts with one conversation. Get in touch to arrange a collection and find out what your old devices can do next.

Where do the circular economy principles come from?

The Ellen MacArthur Foundation, established in 2010, is the most influential organisation advancing circular economy thinking globally. Its three core principles provide a practical framework for redesigning economic systems — not just improving them at the margins.

These principles are not abstract ideals. Each one has direct implications for how businesses design products, manage supply chains, handle waste, and report on environmental performance. For the IT sector specifically, they offer a clear blueprint for doing better.

Principle 1: Eliminate waste and pollution

The first principle holds that waste and pollution are not inevitable by-products of economic activity — they are the result of poor design choices.

In a conventional economy, a laptop is designed to be manufactured, sold, used for a few years, and discarded. The materials inside it — aluminium, copper, gold, rare earth elements — are extracted once, used once, and then largely lost. This is waste by design.

The circular alternative starts at the beginning: design products to last longer, be repaired more easily, and be disassembled at end of life so their materials can be recovered efficiently. Modular smartphones, such as those made by Fairphone, are a direct application of this principle. Their components can be replaced individually rather than rendering the entire device obsolete when one part fails.

For businesses disposing of IT equipment, this principle translates into a practical question: are you choosing a disposal route that recovers maximum value, or one that simply removes the inconvenience? Sending devices to a certified ITAD provider — rather than general waste — is the difference between elimination and contribution to the problem.

Principle 2: Circulate products and materials at their highest value

This is the principle that most people associate with the circular economy, and it is the one with the most immediate relevance to IT disposal.

“Highest value” is the key phrase. A working laptop has more value as a laptop than as a collection of metal and plastic. A working hard drive has more value as a storage device than as a source of recovered aluminium. The circular economy prioritises keeping things at their highest level of value for as long as possible.

The Ellen MacArthur Foundation describes two distinct cycles here:

The technical cycle covers products made from non-biological materials — electronics, plastics, metals. In this cycle, the preferred order is:
1. Maintain and extend product life
2. Reuse the whole product
3. Refurbish and redistribute
4. Remanufacture components
5. Recycle materials as a last resort

The biological cycle covers organic materials — food, cotton, wood — that can safely re-enter natural systems through composting or anaerobic digestion.

For IT equipment, the technical cycle is what matters. At Recycle4Charity, we apply this hierarchy directly. Every device collected from a London business is assessed. If it works, or can be made to work, it is refurbished and donated — keeping it circulating as a device rather than reducing it to raw materials. Only when refurbishment is not possible do we move to recycling through certified WEEE partners.

This is also the principle that makes IT reuse a stronger environmental choice than IT recycling. Recycling recovers materials but destroys the embodied value of the device. Reuse preserves it.

Principle 3: Regenerate natural systems

The third principle extends beyond products and materials to consider the broader impact on natural systems.

For biological materials, this means returning nutrients to the soil rather than losing them to landfill or incineration. For the technology sector, the connection is less direct but still meaningful. Every device that is reused rather than discarded reduces demand for new manufacturing. Less manufacturing means less mining, less energy consumption, less habitat disruption, and fewer carbon emissions.

The extraction of materials used in electronics — including cobalt, lithium, tin, and rare earth elements — has significant environmental and human costs. Mines in the Democratic Republic of Congo, Chile, and Indonesia supply materials that end up in devices used globally. Extending device life through reuse and refurbishment directly reduces the pressure on those extraction systems.

Regenerating natural systems also means choosing suppliers and partners who operate responsibly. Certified ITAD providers, like Recycle4Charity, process equipment in controlled environments rather than exporting it to informal recycling markets, where inadequate handling causes serious pollution and harm to workers and communities.

How do these principles apply together?

The three principles work as a system, not a checklist. Eliminating waste requires designing for circulation. Circulating at highest value requires not contaminating or destroying materials unnecessarily. And regenerating natural systems requires both of the first two, applied consistently.

For an IT director or sustainability manager reviewing their organisation’s asset disposal process, the principles translate into practical questions:

  • Are we choosing a disposal partner who prioritises reuse before recycling?
  • Are we documenting the outcome — devices donated, materials recovered, waste diverted — to support our ESG reporting?
  • Are we applying circular thinking at the procurement stage, not just at disposal?

These are not rhetorical questions. Each one has a measurable answer, and increasingly, investors, clients, and regulators want to see that answer.

To understand the social and environmental impact of circular IT practices, explore our impact data. For businesses managing IT asset disposal, our WEEE recycling and ITAD services are built around these three principles from the ground up.


Putting circular economy principles into practice starts with a single decision: what happens to your old IT equipment. Contact our team to find out how we can help.

Why look at tech for circular economy examples?

Technology is both one of the most resource-intensive industries on the planet and one of the most promising candidates for circular transformation. Electronics contain dozens of valuable materials — gold, copper, cobalt, lithium, rare earth elements — that are expensive to extract, geopolitically sensitive to source, and frequently lost when devices are discarded.

At the same time, the tech sector has characteristics that make circularity achievable: global supply chains capable of reverse logistics, established repair ecosystems, and a growing market for refurbished devices. The examples below illustrate what circularity looks like at different scales and in different contexts.

Example 1: Modular design — Fairphone

Fairphone, a Dutch electronics manufacturer, has built its entire product line around the principle of repairability. Its smartphones are designed so that users — not just technicians — can replace the battery, screen, camera, and other components without specialist tools.

This is circular design applied at the product level. Rather than engineering a device that becomes obsolete when one part fails, Fairphone engineers for longevity. Spare parts are sold directly to consumers. The company also publishes repairability scores and sustainability reports.

The result is a device with a significantly longer usable life than a conventional smartphone. The Ellen MacArthur Foundation has cited modular design as one of the clearest examples of circular economy principles applied in the technical cycle.

Fairphone is a small manufacturer, but its model demonstrates what is possible when the principles of circular economy shape the design brief from the outset.

Example 2: Manufacturer take-back schemes

Several major technology manufacturers have introduced take-back or trade-in programmes as a response to growing regulatory and consumer pressure. Apple, Dell, HP, and Lenovo all operate schemes that allow customers to return old devices.

These programmes vary significantly in quality. Some genuinely prioritise refurbishment and resale — keeping devices in use as devices rather than breaking them down for materials. Others primarily serve as a disposal channel, with recycling (rather than reuse) as the primary outcome.

The value of take-back schemes depends entirely on what happens to devices after collection. A scheme that refurbishes 80% of returned devices and recycles 20% is doing very different work from one that recycles all returns. Businesses evaluating manufacturer take-back options should ask for data on refurbishment rates, not just “recycling” rates.

The UK’s Waste Electrical and Electronic Equipment (WEEE) Regulations place obligations on producers to fund the collection and treatment of waste electronics. Take-back schemes are one mechanism through which manufacturers meet those obligations.

Example 3: The refurbished device market

The global market for refurbished smartphones and laptops has grown substantially in recent years. Refurbished devices are pre-owned products that have been inspected, cleaned, repaired where necessary, and certified to a performance standard before resale.

For consumers and organisations buying refurbished, the appeal is clear: lower price, equivalent function. For the circular economy, the appeal is equally clear: a refurbished device is a device kept in use rather than one prematurely discarded.

The refurbished market operates across multiple channels — manufacturer-certified programmes, specialist retailers, and social enterprises. Quality standards vary, so buyers should look for graded, tested devices with documented refurbishment processes.

Example 4: Corporate IT refurbishment and donation — the Recycle4Charity model

Recycle4Charity operates a model that demonstrates what circular IT looks like in a London business context.

When an organisation retires its IT equipment — laptops, desktops, monitors, tablets, phones — we collect it, handle secure data destruction, and assess every device. Those that are functional are refurbished and donated free of charge to digitally excluded Londoners, through partnerships with schools, charities, and community organisations across the city.

This is a circular model with a social dimension. The business gets certified data destruction, documented asset disposal, and the ability to report on devices donated and waste diverted. The recipient gets technology they could not otherwise afford. The device gets a second life rather than a premature end.

For businesses with ESG reporting obligations, this kind of circular outcome — devices reused, waste diverted, social impact created — is precisely what sustainability disclosures are meant to reflect. Our impact page shows the numbers behind our work.

Where devices cannot be refurbished, we work with certified WEEE recycling partners. Nothing goes to landfill. This reflects the priority order of the waste hierarchy: reuse first, then recycle, never dispose.

Example 5: Leasing and product-as-a-service models

Some technology companies have moved away from selling devices altogether, instead offering them on a subscription or lease basis. Under this model, the manufacturer retains ownership of the device throughout its life and takes it back at the end of the contract for refurbishment or recycling.

This “product as a service” approach aligns the manufacturer’s incentives with device longevity: if they own the device, they have a financial reason to make it last as long as possible.

Examples include managed device programmes from major manufacturers and specialist leasing companies. The model is growing in the enterprise IT sector, where predictable monthly costs and guaranteed replacement cycles are attractive to finance teams.

What do these examples have in common?

Each of these circular economy examples in tech shares a common logic: treat the device as an asset rather than a consumable. Design it to last. Plan for its recovery. Make reuse the preferred outcome over recycling, and recycling the preferred outcome over disposal.

For most organisations, the most accessible starting point is not product design or take-back scheme management — it is the decision of what to do when devices are retired. Choosing a certified ITAD partner who prioritises refurbishment and donation is the single most impactful circular action available to the average London business.

Read more about the principles that underpin the circular economy or explore our business IT disposal and WEEE recycling services.


Ready to make your next IT refresh a circular one? Get in touch with Recycle4Charity and we’ll handle the rest.

Why a certificate of data destruction matters

UK GDPR does not simply require organisations to destroy personal data — it requires them to be able to demonstrate that they did so. Article 5(2), the accountability principle, places the burden of proof on the data controller. When the Information Commissioner’s Office (ICO) investigates a data breach or a complaint about improper disposal, it will ask what evidence the organisation holds to show that data was destroyed correctly.

A certificate of data destruction is that evidence. Without one, an organisation is in the position of asserting compliance without being able to prove it. With one, it can point to a specific document recording the device, the method, the date, and the party responsible.

The certificate also protects the organisation in other scenarios: when demonstrating compliance to clients or auditors, when responding to a subject access request that asks whether data has been deleted, and when managing claims arising from a data incident.

What should a certificate of data destruction contain?

A well-formed certificate of data destruction should include all of the following:

  • Name and contact details of the provider: The organisation that carried out the destruction, including their registered address and any certification numbers relevant to their accreditation.
  • Name and address of the client: The organisation that commissioned the destruction — your business.
  • Date of destruction: The date on which destruction was completed, not the date of collection.
  • Device identifiers: For each device destroyed, the make, model, and serial number (or asset tag if the serial number is unreadable). Batch certificates should list all devices or reference a separate schedule.
  • Destruction method: Whether the data was destroyed by software overwriting, degaussing, or physical shredding.
  • Standard applied: The specific standard the destruction was carried out to — for example, NIST Special Publication 800-88 for software wiping, or the relevant NCSC/HMG IA Policy No.5 particle size for physical shredding.
  • Verification statement: Confirmation that the destruction was verified — for software wiping, this means a verification pass; for physical shredding, a chain-of-custody record and witnessed destruction or equivalent.
  • WEEE disposal confirmation: A statement confirming that residual material was recycled in compliance with the WEEE Regulations 2013 through an authorised treatment facility.
  • Signature and authorisation: The certificate should be signed by an authorised representative of the provider.

Some certificates also include a unique certificate reference number, which allows the document to be cross-referenced against the provider’s internal records if questions arise later.

What a certificate of data destruction does not cover

A certificate is only as reliable as the process behind it. A document that lists devices and claims destruction occurred is not meaningful unless the provider can demonstrate:

  • That the devices listed were in their custody
  • That the destruction method described was actually applied
  • That verification occurred (for wiping) or that the chain of custody is unbroken (for shredding)

When selecting a provider, ask how they record device identifiers before destruction, how they verify the process, and whether they can provide evidence to support the certificate if it is ever challenged.

How long should you keep a certificate?

UK GDPR does not specify a retention period for compliance documents. As a general principle, certificates should be kept for as long as the personal data they relate to would have been retained — and for any period during which a regulatory or legal challenge to the disposal could arise. In practice, many organisations retain destruction certificates for a minimum of five to seven years.

Store certificates alongside your IT asset register and your data retention policy so that the full lifecycle of each device — from procurement to destruction — can be traced if needed.

Template: key fields to include

If your organisation carries out in-house data destruction and needs to create its own certificate, the document should capture all the fields listed above. A simple template structure might look like this:

Certificate of Data Destruction

Field Value
Certificate reference [unique number]
Issuing organisation [name, address, contact]
Client organisation [name, address]
Collection date [date]
Destruction date [date]
Destruction method [wiping / degaussing / shredding]
Standard applied [e.g. NIST SP 800-88 / NCSC guidance]
WEEE disposal [confirmed / provider name]
Authorised signatory [name, title, signature]

A separate schedule attached to the certificate should list every device by make, model, serial number, and the individual verification result (for wiping) or confirmation of inclusion in the shredded batch.

Recycle4Charity’s approach

Recycle4Charity issues a certificate of data destruction with every collection. The certificate records each device individually, specifies the destruction method and the standard applied, and confirms WEEE-compliant recycling of residual material. Devices that pass certified wiping and a hardware quality check are refurbished and donated free to digitally-excluded Londoners — so your compliance documentation comes with a social benefit.

For an overview of the data destruction methods we use, see our guide to what is secure data destruction. To arrange a collection and receive your certificate, visit our data destruction for business page.

What determines how long a business laptop lasts?

Business laptops are built to a higher standard than consumer models, but they still have finite working lives. Several factors determine where in the three-to-five-year window a specific device falls.

Manufacturer support is often the defining constraint. When a laptop model reaches end of support, the manufacturer stops issuing firmware updates and the operating system vendor may stop issuing security patches. Running unsupported hardware is a security risk that most IT teams cannot accept, regardless of whether the device still functions.

Battery degradation affects usability rather than function. Most lithium-ion laptop batteries retain reasonable capacity for two to three years of full-time use, after which charge duration drops noticeably. A laptop tethered permanently to a power cable is a mobility asset that has lost its main advantage.

Component performance relative to software requirements changes over time. A laptop that handled business applications well in year one may struggle by year four as software updates, browser engines, and collaboration tools grow more demanding.

Physical wear — keyboard failures, hinge damage, worn trackpads — tends to accumulate in year four and beyond, particularly on devices used intensively or transported frequently.

What are the signs a business laptop should be replaced?

Performance has degraded noticeably

Slow boot times, frequent freezes, and applications taking longer to load than on comparable newer devices are indicators that hardware is no longer keeping pace with software demands. Before assuming replacement is needed, rule out software causes — malware, accumulated startup items, or a failing hard drive can mimic age-related slowdown. If a clean install does not resolve the issue, hardware is likely the constraint.

The battery no longer supports a working day

Most organisations expect a laptop to support a full working day away from a power source. When battery life drops below four hours under typical use, productivity suffers. Battery replacement is possible and sometimes economical, but on older models the labour cost plus the cost of a compatible battery may approach the residual value of the device.

Manufacturer support has ended

Check the manufacturer’s support lifecycle for each model in your fleet. Microsoft, Lenovo, HP, Dell, and Apple all publish end-of-support dates. A device that no longer receives security patches is a liability regardless of physical condition. This is the point at which even well-functioning hardware should be considered for retirement.

Repair costs exceed residual value

The general rule is that a single repair costing more than 50% of the device’s current replacement cost signals it is time to retire. Track repair history by serial number — devices that have required multiple repairs in their fourth or fifth year are poor candidates for continued service.

The device cannot run your standard image

If a planned operating system upgrade or enterprise software deployment requires hardware that a laptop cannot meet — RAM thresholds, TPM version, storage capacity — that device will need to be excluded from your standard environment. Managing a split fleet with different software configurations adds administrative overhead that often outweighs the cost of refreshing.

How do refresh cycles affect disposal planning?

Most IT managers plan laptop refreshes on a rolling basis — replacing a proportion of the fleet each year to avoid a large capital outlay in a single budget period. A three-year rolling refresh means roughly one third of devices are retired annually. A four-year cycle means one quarter.

Planning the disposal of outgoing devices at the same time as planning the refresh is good practice. It avoids a situation where retired hardware accumulates in a store cupboard with data still present on drives.

Our IT refresh cycle guide goes into more detail on planning refresh schedules and how to align disposal with procurement.

What happens to retired laptops?

Laptops that are three to four years old and still functional often have useful life remaining. Recycle4Charity assesses each device and, where it meets our criteria, donates it free of charge to digitally excluded Londoners. A laptop that is no longer suitable for your corporate environment can still make a real difference for someone who has none.

Devices that do not qualify for reuse are recycled through a certified process. Data destruction is completed first, followed by disassembly and materials recovery. You receive documentation for every device. Read our full guide to laptop recycling for businesses for details on what the process involves.