Why data centre decommissioning requires a formal process
A data centre holds more sensitive data per square metre than almost any other part of a business. Servers, storage arrays, network equipment, and even decommissioned UPS units may hold personal data, commercially sensitive information, or cryptographic material.
UK GDPR and the Data Protection Act 2018 require organisations to remain accountable for personal data until its verified destruction. The WEEE Regulations 2013 require that electrical equipment is disposed of through authorised channels. A decommission without documented process leaves your organisation exposed on both fronts.
The checklist below applies whether you are decommissioning a single server room, vacating a co-location facility, or retiring a full on-premises data centre.
The data centre decommissioning checklist
Phase 1: Planning and scoping
- Appoint a project owner. Assign a named individual responsible for sign-off at each stage. This person owns the audit trail.
- Inventory all assets. Conduct a full physical audit. Record every asset: serial number, make, model, location, and data classification of workloads previously hosted. Cross-reference against your configuration management database (CMDB) — discrepancies are common and must be resolved before disposal begins.
- Classify data by sensitivity. Identify which devices held personal data, financial records, or other regulated information. Data classification drives the destruction method required.
- Confirm dependencies. Verify that all workloads have been migrated or decommissioned before any hardware is touched. Premature disconnection of a live system can cause outages.
- Engage your ITAD provider early. Share your asset inventory with a certified IT asset disposal provider before the project starts. They can advise on data destruction methods, logistics, and documentation requirements. Our data centre IT recycling service is specifically designed for projects of this scale.
Phase 2: Data security
- Back up any data you intend to retain. Confirm backups are complete and verified before touching hardware.
- Revoke all active credentials and API keys associated with decommissioned systems. Update your identity management systems.
- Remove encryption keys from hardware security modules (HSMs) and TPM chips. Document this step with timestamps.
- Agree a data destruction standard. For overwriting, common standards include HMG Infosec Standard 5 and NIST 800-88. For physical destruction, confirm the shred size and the certification your provider issues. High-security environments may require on-site destruction — discuss this with your ITAD provider.
- Do not rely on factory resets alone. Factory resets on servers, storage arrays, and networking equipment do not reliably overwrite all data. Certified software erasure or physical destruction is required.
Phase 3: Physical removal
- Label and bag each asset individually. Maintain the link between physical device and serial number throughout transit. Tamper-evident bags or cages prevent unauthorised access.
- Document chain of custody at every transfer. A signed manifest should accompany every pallet or cage. Record who collected, when, and what vehicle registration was used.
- Handle specialist equipment separately. UPS batteries, cooling units, and cabling infrastructure follow different disposal routes. Confirm your ITAD provider can handle all asset types — or arrange separate streams.
- Photograph the empty racks before leaving the facility. This protects you if a dispute arises over what was collected.
Phase 4: Certified processing
- Confirm your ITAD provider is an authorised treatment facility (ATF) approved under the WEEE Regulations 2013. Ask for their registration number.
- Receive data destruction certificates for every storage-bearing device. Each certificate should cite the device serial number, destruction method, standard applied, and technician signature.
- Receive a full asset disposition report. This lists every serial number and its outcome: wiped and reused, donated, disassembled, or recycled.
- Obtain a WEEE transfer note. This is your legal evidence that electrical waste was transferred to an authorised facility.
Phase 5: Closure and reporting
- Update your asset register. Remove all decommissioned serial numbers and mark them as disposed with the date and method.
- File all certificates and transfer notes in your compliance records. ICO guidance on data security recommends retaining these for the duration of your data retention policy, and typically a minimum of three to five years.
- Notify relevant parties. If the data centre processed personal data on behalf of clients, notify them that destruction is complete and provide certificates as required under data processing agreements.
- Conduct a post-project review. Identify any gaps between the CMDB and the physical inventory found. Update asset tracking processes before your next refresh cycle.
Common mistakes to avoid
Most decommissioning failures come from the same sources: assets not captured in the original inventory, destruction certificates not requested or not retained, and WEEE documentation not obtained because the project moved too fast.
A rushed decommission that skips documentation can result in ICO enforcement action if a data breach is later traced to a disposed device. The ICO has fined organisations for inadequate data destruction practices — the evidence standard it expects is a certificate, not an assurance.
For an overview of what to expect from a certified server recycling service, read our dedicated guide on that topic.
Ready to plan your decommission? Talk to our data centre team for a scoping conversation and asset inventory support.