← Blog ·

What happens to your data when you recycle a computer?

When you recycle a computer, the data stored on its hard drive or SSD does not disappear — it remains on the storage medium until it is deliberately and permanently destroyed. Without certified data destruction before recycling, personal or business data can be recovered from a donated or recycled device by anyone with basic recovery software.

The problem with “recycled” computers

When an organisation retires a computer — a desktop, laptop, or server — and sends it to a recycling centre or donates it, the assumption is often that the device is blank. It rarely is.

Research by independent security organisations over many years has found personal data — sometimes including financial records, medical files, and login credentials — on computers purchased second-hand from online marketplaces, charity shops, and IT resellers. The previous owners believed their data had been removed. In many cases, the drives had only been formatted, or the operating system had been reinstalled.

A formatted drive is not a wiped drive. A reinstalled operating system does not remove the data underneath it. Recovery tools — available free online — can retrieve files from drives that have been formatted, deleted, or even had a new operating system installed.

What data is typically at risk?

A business computer reaching end of life may contain:

  • Customer and client records (names, addresses, contact details, purchase history)
  • Employee personal information (payroll data, HR records, performance reviews)
  • Financial data (invoices, bank details, accounting records)
  • Intellectual property (contracts, proposals, internal strategy documents)
  • Credentials and authentication tokens (saved passwords, VPN certificates, session data)
  • Email archives containing any or all of the above

Under UK GDPR and the Data Protection Act 2018, personal data in any of these categories is subject to legal protection. Allowing it to leave your organisation’s control on an unwiped device constitutes a data breach — and could result in enforcement action by the Information Commissioner’s Office (ICO).

What happens to data during the recycling process?

This depends entirely on the recycling route you use.

General WEEE recycling without data destruction:
If a device is sent to a general e-waste recycler that does not offer data destruction, the drive will typically be removed and shredded along with other materials — but only after the device has passed through a facility where other people handled it. The data risk during that transit period is real.

Refurbishment and resale:
Some recyclers refurbish computers and resell them. If the drive is not wiped before refurbishment, the new user may be able to access the previous owner’s data. Reputable refurbishers wipe drives as a matter of course, but standards vary widely.

Donation without data destruction:
Computers donated to schools, charities, or community groups are sometimes set up directly without the previous user’s data having been removed. This is a well-documented source of data breaches in the charitable sector.

Certified IT asset disposal (ITAD):
A certified ITAD provider carries out data destruction — either wiping or shredding — before the device enters the recycling or refurbishment stream. The provider issues a certificate of data destruction as evidence. This is the only route that provides compliance assurance.

What should happen before a computer is recycled?

Before any computer leaves your organisation’s control, the following must occur:

  1. Data destruction: The drive must be wiped to a certified standard (NIST SP 800-88 or NCSC guidance) or physically shredded. Deletion and formatting are not sufficient.
  2. Verification: For software wiping, a verification report must confirm every sector was overwritten. For shredding, the chain of custody must be documented.
  3. Documentation: A certificate of data destruction must be issued and retained as compliance evidence.
  4. WEEE-compliant disposal: The hardware must be routed to an authorised treatment facility under the WEEE Regulations 2013, not sent to general waste.

For a step-by-step guide to wiping a laptop specifically, see our article on how to wipe a laptop before recycling.

Does the type of storage affect the risk?

Yes, significantly.

Traditional hard drives (HDDs): Data is written magnetically to spinning platters. Standard deletion leaves the data fully intact. Certified software wiping or physical shredding addresses this reliably.

Solid-state drives (SSDs): Data is stored in NAND flash memory. Standard overwrite tools may not reach all storage areas due to wear levelling. Certified firmware-level commands (ATA Secure Erase, NVMe Sanitise) or physical shredding are required. Degaussing has no effect on SSDs.

Hybrid drives: Contain both a magnetic platter and flash cache. Both components require treatment.

Understanding which type of drive a computer contains is the first step in selecting the appropriate destruction method.

The accountability gap in common practice

Many businesses believe they are compliant because they have “recycled” their old computers through a local scheme or donated them to charity. The accountability gap is this: unless they have a certificate of data destruction — a document recording what was destroyed, how, and when — they cannot demonstrate compliance if challenged.

The ICO’s accountability principle is explicit: data controllers must be able to demonstrate that they comply with the data protection principles, not simply assert it. “We recycled the computers” is an assertion. A certificate of data destruction is evidence.

For more on what the certificate should contain, see our guide to certificates of data destruction.

How Recycle4Charity handles data when recycling a computer

Recycle4Charity is a London-based Community Interest Company that collects computers and other IT equipment from businesses, carries out certified data destruction — wiping or shredding as appropriate — and issues a certificate of data destruction for every collection. Devices that pass wiping and a hardware quality check are donated free to digitally-excluded Londoners. Those that cannot be refurbished are recycled through WEEE-compliant routes.

Visit our data destruction for business page to find out more, or contact us to arrange a collection.

Blog

Frequently asked questions

No. Deleting files removes their entry in the file system index but leaves the data itself on the drive. Recovery software can retrieve deleted files in minutes. Only certified overwriting (wiping) or physical shredding permanently removes the data.

The data remains on the drive, accessible to whoever next has physical possession of it. If that data includes personal information, the organisation that owned the computer may be liable under UK GDPR for a data breach. The ICO can investigate and impose fines.

No. You must wipe the drive before donating, using certified overwriting software, or arrange for the charity or ITAD provider to wipe it before distribution. Donating a computer with data on the drive — even if you intended to delete it — can constitute a data breach.

Yes. Physical shredding destroys the storage medium regardless of type, including SSDs, because it physically fragments the NAND flash chips. Degaussing, by contrast, does not work on SSDs.

Ask for a certificate of data destruction for every collection, listing each device by serial number and specifying the method and standard applied. A reputable provider will issue this as standard. If a provider cannot or will not provide this documentation, that is a significant compliance risk.

Need secure IT disposal in London?

Certified data destruction and WEEE recycling — with refurbished devices going to people who need them.