Most businesses replace their IT equipment every three to five years. It’s routine: new laptops arrive, the old ones get piled in a corner, and someone eventually says they’ll sort it. Months later, they’re still in the corner.
The problem isn’t the new equipment. It’s what’s sitting on the old equipment that nobody’s dealt with yet.
The Data That’s Still on Your Old Devices
When an employee hands back a laptop, or your IT provider swaps out a server, that hardware doesn’t leave empty. Depending on how long the device was in use, it could be holding:
- Years of emails and attachments
- Customer records and CRM data
- Financial spreadsheets and invoices
- HR files and payroll information
- Cached login credentials
- Commercially sensitive documents and proposals
The common assumption is that deleting files, or doing a factory reset, makes a device safe to dispose of. It doesn’t. Basic data recovery software, available for free, can reconstruct files from a drive that appears to have been wiped. Anyone with an interest in accessing your business data and a basic level of technical knowledge can do it.
This isn’t a theoretical risk. The ICO has taken enforcement action against organisations that failed to properly manage the disposal of IT equipment containing personal data. “We didn’t realise there was anything on it” is not a defence that holds up.
The Stages of an IT Refresh (and Where the Risk Sits)
Stage 1: Know What You Own
Before anything gets retired, you need an accurate picture of every device in your organisation and what data it holds. If your IT asset register hasn’t been updated in two years, that’s the place to start.
The devices that get overlooked are usually the smaller ones: USB sticks in desk drawers, external hard drives that were used for backups three years ago, old company phones in a box somewhere, a decommissioned printer that nobody thinks of as a data risk. Modern printers with scan-to-email functionality have internal storage. So do CCTV recorders, tablets, and backup tapes.
Stage 2: Data Backup and Migration
Any data that needs to be retained has to be properly migrated before the device leaves your control. This sounds obvious, but it’s worth having someone confirm it explicitly rather than assuming the IT team handled it. The time to check is before the old hardware goes anywhere, not after.
Stage 3: Secure Data Destruction
This is where things typically go wrong. There are three methods businesses use:
Software wiping: Certified erasure software overwrites the drive to a recognised standard (NIST 800-88 is the benchmark). It can work for devices being repurposed internally, but it’s not suitable for all drive types. SSDs don’t behave the same way as HDDs, and the process has to be properly documented to be defensible from a compliance standpoint.
Degaussing: Uses a powerful magnetic field to destroy data on magnetic media. It doesn’t work on SSDs or flash storage, and it’s usually paired with physical destruction rather than used on its own.
Physical destruction: The drive is shredded. It’s the only method that works across all drive types and gives you absolute certainty that the data is gone. For any device that’s held personal data, client information, or sensitive business records, this is the right approach.
ShredBank’s Product Destruction service covers hard drives and electronic media alongside paper. The destruction happens at your premises using ShredBank’s mobile trucks, you see it happen, and you receive a Certificate of Destruction on the day. Nothing leaves your site in a recoverable state.
Stage 4: Disposal
Once data has been securely destroyed, the remaining hardware can be disposed of responsibly through an IT asset disposal company, donated through a certified scheme, or recycled through WEEE-compliant channels. If you’re reselling equipment, the Certificate of Destruction is your proof that data was properly handled before the device changed hands.
Which Devices Need to Be Dealt With
It’s not just desktops and laptops.
| Device | Risk Level | Why |
|---|---|---|
| Laptops and desktops | High | Internal drives, cached credentials |
| Servers | Very high | Can hold years of business and customer data |
| External hard drives | High | Often forgotten during clear-outs |
| USB drives | Medium to high | Small, easy to lose track of |
| Printers and MFDs | Medium | Many hold internal storage |
| Company mobile phones | High | Email, contacts, apps, cached logins |
| Tablets | Medium to high | Same exposure as phones |
| Backup tapes | Very high | Can contain decades of archived data |
| CCTV recorders | Medium | Footage of staff, customers, visitors |
What the Law Requires
Under UK GDPR, your organisation is responsible for personal data from the point it’s collected to the point it’s destroyed. That responsibility covers hardware. If a device that held personal data is disposed of without proper destruction and the data ends up being accessed, the liability sits with the original data controller.
A Certificate of Destruction is your evidence that you handled it correctly. It records what was destroyed, when, and by whom. Without it, you’re relying on someone’s word that the drive was wiped, which is not the same thing and won’t satisfy an ICO investigation.
What to Look for in a Destruction Provider
Not every company offering hardware disposal is doing it to the same standard. When you’re choosing a provider, the things that matter are:
- On-site destruction: The device is destroyed at your premises. You don’t hand it over and trust that something happened to it somewhere else.
- Certificate of Destruction: Issued on the day, with details of what was destroyed.
- Security-vetted staff: Uniformed, ID-badged, with signed confidentiality agreements. ShredBank’s drivers meet this standard as a baseline.
- Relevant accreditations: ISO 9001 for quality management and compliance with BS EN 15713 for secure destruction.
- Audit trail: Asset records and destruction method documented.
Checklist for Your Next IT Refresh
Before:
- Update your IT asset register
- Identify every device holding personal or sensitive data, including peripherals
- Confirm data has been backed up and migrated from retiring devices
- Book a certified on-site destruction service for anything that’s held sensitive data
During:
- Keep retiring equipment in a secure location until destruction takes place
- Do not allow devices to leave your premises before destruction is confirmed
- Have a member of staff present during on-site destruction
After:
- File your Certificate of Destruction
- Update your IT asset register to show retired devices
- Record the destruction date and method in your data management records
- Set a reminder for the next refresh cycle
The Short Version
A lot of care goes into buying and setting up new IT equipment. The same care needs to go into retiring the old stuff. The data on a five-year-old laptop doesn’t become less sensitive because the machine is out of date.
If you’re planning an IT refresh and need on-site hard drive or electronic media destruction in Belfast or across Northern Ireland, get in touch with ShredBank. Destruction takes place at your premises, you watch it happen, and you leave with a Certificate of Destruction the same day.