When a business disposes of old IT equipment — laptops, phones, servers or hard drives — UK GDPR (Data Protection Act 2018) makes the data controller responsible for ensuring personal data is irretrievably destroyed before the device leaves its custody. This applies whether the device is working, broken, or has been wiped by a factory reset.
What UK GDPR requires when disposing of IT
Under UK GDPR (implemented by the Data Protection Act 2018), organisations must apply the storage limitation and security principles to data on IT equipment being retired. Specifically:
- Personal data must not be retained longer than necessary — devices being disposed of must have their data destroyed, not just deleted.
- Technical and organisational measures must be in place to ensure the security of personal data — inadequate disposal is a failure of this obligation.
- A record of the destruction must be maintained as part of your accountability obligations.
Why a factory reset is not enough
A factory reset restores a device to its default settings by removing the file system index — but the underlying data sectors are not overwritten. This means data can be recovered using freely available forensic tools. The same applies to simply formatting a hard drive or deleting files. For GDPR compliance, you need certified software erasure that overwrites all data sectors to a recognised standard, or physical destruction of the storage media. See our guide to data destruction methods.
The ICO’s guidance on device disposal
The ICO’s guidance on erasure and destruction states that organisations should use specialist data destruction software or engage a specialist provider for hardware being disposed of. The ICO recommends retaining a certificate of data destruction as documented evidence of compliance — and this is precisely what a professional ITAD service provides.
Consequences of inadequate IT disposal
Disposing of IT equipment without properly destroying the data can result in a personal data breach reportable to the ICO under UK GDPR. The ICO has issued significant fines for breaches arising from inadequate disposal of IT equipment. Fines under UK GDPR can reach £17.5 million or 4% of global annual turnover. Beyond fines, there is reputational damage and the potential for civil liability to affected individuals.
How to comply — the compliant IT disposal process
Recycle4Charity’s secure data destruction service for London businesses covers every device in a single collection: certified erasure or physical shredding on every data-bearing item, a certificate of data destruction per device, and a WEEE disposal record satisfying the WEEE Regulations 2013 alongside your GDPR obligations. Book a free IT collection across Greater London.