← Blog ·

Certificate of data destruction: what it is and what it must contain

A certificate of data destruction is a formal document confirming that specified storage devices have been permanently destroyed and identifying the method, standard, and date of destruction. Under UK GDPR's accountability principle, it is the primary evidence an organisation can produce to demonstrate that personal data was disposed of lawfully and securely.

Why a certificate of data destruction matters

UK GDPR does not simply require organisations to destroy personal data — it requires them to be able to demonstrate that they did so. Article 5(2), the accountability principle, places the burden of proof on the data controller. When the Information Commissioner’s Office (ICO) investigates a data breach or a complaint about improper disposal, it will ask what evidence the organisation holds to show that data was destroyed correctly.

A certificate of data destruction is that evidence. Without one, an organisation is in the position of asserting compliance without being able to prove it. With one, it can point to a specific document recording the device, the method, the date, and the party responsible.

The certificate also protects the organisation in other scenarios: when demonstrating compliance to clients or auditors, when responding to a subject access request that asks whether data has been deleted, and when managing claims arising from a data incident.

What should a certificate of data destruction contain?

A well-formed certificate of data destruction should include all of the following:

  • Name and contact details of the provider: The organisation that carried out the destruction, including their registered address and any certification numbers relevant to their accreditation.
  • Name and address of the client: The organisation that commissioned the destruction — your business.
  • Date of destruction: The date on which destruction was completed, not the date of collection.
  • Device identifiers: For each device destroyed, the make, model, and serial number (or asset tag if the serial number is unreadable). Batch certificates should list all devices or reference a separate schedule.
  • Destruction method: Whether the data was destroyed by software overwriting, degaussing, or physical shredding.
  • Standard applied: The specific standard the destruction was carried out to — for example, NIST Special Publication 800-88 for software wiping, or the relevant NCSC/HMG IA Policy No.5 particle size for physical shredding.
  • Verification statement: Confirmation that the destruction was verified — for software wiping, this means a verification pass; for physical shredding, a chain-of-custody record and witnessed destruction or equivalent.
  • WEEE disposal confirmation: A statement confirming that residual material was recycled in compliance with the WEEE Regulations 2013 through an authorised treatment facility.
  • Signature and authorisation: The certificate should be signed by an authorised representative of the provider.

Some certificates also include a unique certificate reference number, which allows the document to be cross-referenced against the provider’s internal records if questions arise later.

What a certificate of data destruction does not cover

A certificate is only as reliable as the process behind it. A document that lists devices and claims destruction occurred is not meaningful unless the provider can demonstrate:

  • That the devices listed were in their custody
  • That the destruction method described was actually applied
  • That verification occurred (for wiping) or that the chain of custody is unbroken (for shredding)

When selecting a provider, ask how they record device identifiers before destruction, how they verify the process, and whether they can provide evidence to support the certificate if it is ever challenged.

How long should you keep a certificate?

UK GDPR does not specify a retention period for compliance documents. As a general principle, certificates should be kept for as long as the personal data they relate to would have been retained — and for any period during which a regulatory or legal challenge to the disposal could arise. In practice, many organisations retain destruction certificates for a minimum of five to seven years.

Store certificates alongside your IT asset register and your data retention policy so that the full lifecycle of each device — from procurement to destruction — can be traced if needed.

Template: key fields to include

If your organisation carries out in-house data destruction and needs to create its own certificate, the document should capture all the fields listed above. A simple template structure might look like this:

Certificate of Data Destruction

Field Value
Certificate reference [unique number]
Issuing organisation [name, address, contact]
Client organisation [name, address]
Collection date [date]
Destruction date [date]
Destruction method [wiping / degaussing / shredding]
Standard applied [e.g. NIST SP 800-88 / NCSC guidance]
WEEE disposal [confirmed / provider name]
Authorised signatory [name, title, signature]

A separate schedule attached to the certificate should list every device by make, model, serial number, and the individual verification result (for wiping) or confirmation of inclusion in the shredded batch.

Recycle4Charity’s approach

Recycle4Charity issues a certificate of data destruction with every collection. The certificate records each device individually, specifies the destruction method and the standard applied, and confirms WEEE-compliant recycling of residual material. Devices that pass certified wiping and a hardware quality check are refurbished and donated free to digitally-excluded Londoners — so your compliance documentation comes with a social benefit.

For an overview of the data destruction methods we use, see our guide to what is secure data destruction. To arrange a collection and receive your certificate, visit our data destruction for business page.

Blog

Frequently asked questions

No legislation uses that specific term, but UK GDPR's accountability principle requires organisations to demonstrate compliance with data protection obligations. A certificate of data destruction is the standard way to hold that evidence, and most auditors and regulators will expect to see one.

Yes, if you carry out data destruction in-house. The certificate must accurately record the device identifiers, the destruction method, the standard applied, the verification outcome, and the date. If you use a third-party provider, the certificate should be issued by them on their headed paper.

This is a significant gap in your compliance evidence. Request that the provider issue one for every collection, or consider using a provider that does so as standard. Without a certificate, you cannot demonstrate to the ICO or to auditors that destruction was carried out.

Devices can be grouped on a single certificate, provided the certificate includes a full schedule listing every device individually (by serial number or asset tag). A certificate that simply states "50 hard drives were destroyed" without device-level identification is inadequate for compliance purposes.

If the ICO investigates a data breach and the breach relates to a device that should have been destroyed, the certificate is the evidence that destruction occurred before the breach or that the device in question was never in the organisation's possession after destruction. Without it, the organisation cannot demonstrate that it took appropriate steps.

Need secure IT disposal in London?

Certified data destruction and WEEE recycling — with refurbished devices going to people who need them.