GDPR and Disposing of Old IT Equipment

Under UK GDPR and the Data Protection Act 2018, businesses remain the data controller until personal data on disposed IT equipment is irretrievably destroyed. A factory reset or standard format is not sufficient. This guide covers your obligations and what secure, compliant IT disposal requires.

When a business disposes of old IT equipment — laptops, phones, servers or hard drives — UK GDPR (Data Protection Act 2018) makes the data controller responsible for ensuring personal data is irretrievably destroyed before the device leaves its custody. This applies whether the device is working, broken, or has been wiped by a factory reset.

What UK GDPR requires when disposing of IT

Under UK GDPR (implemented by the Data Protection Act 2018), organisations must apply the storage limitation and security principles to data on IT equipment being retired. Specifically:

  • Personal data must not be retained longer than necessary — devices being disposed of must have their data destroyed, not just deleted.
  • Technical and organisational measures must be in place to ensure the security of personal data — inadequate disposal is a failure of this obligation.
  • A record of the destruction must be maintained as part of your accountability obligations.

Why a factory reset is not enough

A factory reset restores a device to its default settings by removing the file system index — but the underlying data sectors are not overwritten. This means data can be recovered using freely available forensic tools. The same applies to simply formatting a hard drive or deleting files. For GDPR compliance, you need certified software erasure that overwrites all data sectors to a recognised standard, or physical destruction of the storage media. See our guide to data destruction methods.

The ICO’s guidance on device disposal

The ICO’s guidance on erasure and destruction states that organisations should use specialist data destruction software or engage a specialist provider for hardware being disposed of. The ICO recommends retaining a certificate of data destruction as documented evidence of compliance — and this is precisely what a professional ITAD service provides.

Consequences of inadequate IT disposal

Disposing of IT equipment without properly destroying the data can result in a personal data breach reportable to the ICO under UK GDPR. The ICO has issued significant fines for breaches arising from inadequate disposal of IT equipment. Fines under UK GDPR can reach £17.5 million or 4% of global annual turnover. Beyond fines, there is reputational damage and the potential for civil liability to affected individuals.

How to comply — the compliant IT disposal process

Recycle4Charity’s secure data destruction service for London businesses covers every device in a single collection: certified erasure or physical shredding on every data-bearing item, a certificate of data destruction per device, and a WEEE disposal record satisfying the WEEE Regulations 2013 alongside your GDPR obligations. Book a free IT collection across Greater London.

Frequently asked questions

Yes. Under UK GDPR (Data Protection Act 2018), your organisation remains the data controller until personal data is permanently and irretrievably destroyed. Disposing of a laptop, phone or hard drive without securely destroying the data is a potential data breach — even if the device is broken or not actively used.

No. A factory reset removes the file system index but does not overwrite the underlying data sectors. Data can be recovered from a factory-reset device using freely available software. The ICO recommends using specialist data destruction software or physical shredding, not factory resets, for data-bearing devices being disposed of.

The ICO's guidance on erasure and destruction states that organisations must ensure personal data is irretrievably destroyed before hardware is disposed of or reused. The ICO recommends using a specialist data destruction service that issues a certificate of destruction as documented evidence of compliance.

You need a certificate of data destruction for every data-bearing device disposed of. This document should state the device details (make, model, serial number where available), the destruction method used (certified erasure or physical shredding) and the date. Recycle4Charity issues a certificate for every device it processes.

A data breach through inadequate IT disposal must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) under UK GDPR, and has fined organisations specifically for inadequate device disposal.