Certificate of Data Destruction — What It Is and What It Must Include

A certificate of data destruction is a document issued by a data destruction provider confirming that a specific device's data has been permanently and irrecoverably destroyed. Under UK GDPR, businesses need one for every data-bearing device disposed of — it is the documented evidence that your destruction obligation has been met.

A certificate of data destruction is a formal document confirming that data on a specific device has been permanently and irrecoverably destroyed. It is the documented proof — required by the ICO under UK GDPR — that your organisation has met its obligation to destroy personal data before disposing of IT equipment.

What a certificate of data destruction must include

A valid certificate should contain:

  • Device identification — make, model and serial number (where readable)
  • Destruction method — certified software erasure or physical shredding, with reference to the standard used
  • Date of destruction
  • Provider details — name, contact and (where applicable) accreditation

Asset-level certificates (one per device) are preferable to batch certificates covering multiple items — they give you a traceable record for every device individually, which is what ICO audits and ISO 27001 assessments typically expect.

Why you need one

Under UK GDPR and the Data Protection Act 2018, your organisation is the data controller until personal data is irretrievably destroyed. The ICO’s guidance on erasure and destruction recommends retaining documented evidence of destruction. Without a certificate, you cannot demonstrate to the ICO, an auditor, or a client that a device’s data was properly destroyed.

Certificates are also required for: ISO 27001 information security management, Cyber Essentials assessments, government supplier requirements, and ESG/sustainability reporting where supply chain data handling is assessed.

How Recycle4Charity issues certificates

Recycle4Charity issues a certificate of data destruction for every data-bearing device it processes — individually, not as a batch. Each certificate states the device details, the destruction method (certified wipe or physical shredding) and the date. These certificates are issued as part of every data destruction collection and IT asset disposal service in London.

See also: What is data destruction? and GDPR and disposing of old IT equipment.

Frequently asked questions

A certificate of data destruction is a formal document confirming that data on a specific device has been permanently and irrecoverably destroyed — either by certified software erasure or physical shredding. It serves as documented proof of compliance with UK GDPR (Data Protection Act 2018) and ICO guidance on secure disposal.

A valid certificate should include: the device details (make, model, serial number where available), the destruction method used (certified software wipe or physical shredding), the standard to which it was destroyed, the date of destruction, and the name and contact details of the provider. Recycle4Charity issues a certificate for every device it processes.

The certificate is not explicitly named in UK GDPR legislation, but the ICO's guidance on erasure and destruction recommends retaining documented evidence of destruction as part of your accountability obligations under UK GDPR. Without a certificate, you cannot demonstrate compliance if challenged by the ICO or an auditor.

The ICO does not specify a fixed retention period, but as a rule of thumb, retain certificates for at least as long as your general data protection records — typically three to five years, or longer if the devices held particularly sensitive data. Certificates may also be needed for ISO 27001 audits, Cyber Essentials assessments and ESG reporting.

Any certified data destruction provider that processes devices to a recognised standard can issue a certificate. Look for providers that can confirm the specific method used per device, reference a recognised destruction standard, and provide an asset-level record (one certificate per device, not one certificate covering an entire batch).