Why UK Businesses Still Get Data Destruction Wrong

Every year, thousands of UK businesses replace their IT equipment. Laptops get swapped out,
desktops are retired, and servers reach end of life. What happens next is where things go wrong.
Despite years of high-profile data breaches and increasingly strict regulations, a surprising
number of organisations still treat data destruction as an afterthought or worse, assume that
a factory reset is enough.

The Factory Reset Myth

A factory reset does not destroy data. It removes the pointers to the data, making files invisible
to the operating system, but the underlying information remains on the drive and can be
recovered with freely available forensic tools. This is not a theoretical risk. In 2023, researchers
at the University of Hertfordshire purchased 200 second-hand drives from eBay and found that
42% still contained recoverable data, including financial records, HR files, and medical
information.
The same applies to formatting. A quick format, a full format, even deleting partitions — none of
these methods meet the standards required by GDPR, the ICO, or sector-specific regulators like
the FCA and SRA. If personal data is recoverable, it has not been destroyed, and the organisation
that owned it remains liable.

What Proper Data Destruction Looks Like

Certified secure data destruction follows internationally recognised standards specifically
NIST 800-88, which defines three levels of media sanitisation: Clear, Purge, and Destroy. For
most business hard drives and SSDs, the Purge method using software like Blancco is sufficient.
It overwrites every sector of the drive and produces an individual certificate of destruction tied
to the devices serial number.

For drives that are damaged, encrypted with lost keys, or subject to the highest security
requirements, physical destruction is the alternative. This involves shredding, crushing, or
degaussing the media so that data recovery becomes physically impossible. The key in either
case is documentation without a certificate confirming what was done, to which device, and
when, there is no audit trail.

The Compliance Gap

GDPR Article 17 establishes the right to erasure, but it goes further than most businesses realise.
Under Article 5, organisations must be able to demonstrate that personal data is processed
securely, including its eventual destruction.

The ICO has made clear that “appropriate technical measures” includes the disposal process, not just storage and access controls. For businesses in regulated sectors, the requirements are even more specific. Law firms handling client data must comply with SRA standards. Financial services firms answer to the FCA.

Healthcare providers must meet NHS Data Security and Protection Toolkit requirements. In each
case, the regulator expects documented evidence that data-bearing devices have been properly
sanitised before leaving the organisation’s control.

The Cost of Getting It Wrong

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious GDPR
breaches. But the financial penalty is often the least damaging consequence. The reputational
impact of a data breach particularly one caused by something as preventable as improper
disposal can cost far more in lost contracts, client trust, and management time spent on
remediation.

In 2022, a UK council was fined after hard drives containing sensitive personal data were found
to have been sold on the second-hand market without being wiped. The drives had been passed
to a third-party disposal company that had no proper processes in place.

The council remained liable because it had failed to verify its supplier’s data destruction practices.

What Businesses Should Do

The fix is straightforward but requires discipline.

First, maintain an asset register that tracks every data-bearing device from procurement to disposal.

Second, use a certified data destruction provider that issues individual certificates for every device processed.

Third, verify the provider’s credentials look for ISO 27001 certification, ADISA membership, and an
Environment Agency waste carrier licence.

Finally, do not stockpile old equipment. Every day that a decommissioned laptop or server sits in
a cupboard is another day it remains a data liability. The sooner it enters a controlled
destruction process, the sooner the risk is eliminated and the audit trail is closed.

The Bottom Line

Data destruction is not an IT housekeeping task. It is a compliance obligation, a security control,
and increasingly a factor in commercial due diligence.

Businesses that treat it as an afterthought are not saving money they are accumulating risk. The organisations that get this right are the ones that build destruction into their IT lifecycle from day one, with clear processes, certified partners, and documentation that stands up to scrutiny.