A certificate of data destruction is a formal document confirming that data on a specific device has been permanently and irrecoverably destroyed. It is the documented proof — required by the ICO under UK GDPR — that your organisation has met its obligation to destroy personal data before disposing of IT equipment.
What a certificate of data destruction must include
A valid certificate should contain:
- Device identification — make, model and serial number (where readable)
- Destruction method — certified software erasure or physical shredding, with reference to the standard used
- Date of destruction
- Provider details — name, contact and (where applicable) accreditation
Asset-level certificates (one per device) are preferable to batch certificates covering multiple items — they give you a traceable record for every device individually, which is what ICO audits and ISO 27001 assessments typically expect.
Why you need one
Under UK GDPR and the Data Protection Act 2018, your organisation is the data controller until personal data is irretrievably destroyed. The ICO’s guidance on erasure and destruction recommends retaining documented evidence of destruction. Without a certificate, you cannot demonstrate to the ICO, an auditor, or a client that a device’s data was properly destroyed.
Certificates are also required for: ISO 27001 information security management, Cyber Essentials assessments, government supplier requirements, and ESG/sustainability reporting where supply chain data handling is assessed.
How Recycle4Charity issues certificates
Recycle4Charity issues a certificate of data destruction for every data-bearing device it processes — individually, not as a batch. Each certificate states the device details, the destruction method (certified wipe or physical shredding) and the date. These certificates are issued as part of every data destruction collection and IT asset disposal service in London.
See also: What is data destruction? and GDPR and disposing of old IT equipment.