GDPR and data destruction obligations
What the law expects when you dispose of IT that held personal data — and how to prove you did it right.
Disposing of a device that held personal data is a processing activity in its own right. UK GDPR — now sitting alongside the Data (Use and Access) Act 2025 — expects you to do it securely and to be able to prove it.
What the law expects
Personal data must be kept only as long as needed and disposed of securely. Crucially, GDPR’s accountability principle means you must be able to demonstrate compliance — which in practice means records and certificates, not good intentions.
Where the risk bites
A device sold or recycled with recoverable data is a personal-data breach. The exposure sits with the data controller, so your customers need their ITAD provider to give them defensible proof for every device.
How to evidence it
Per-device, serial-level destruction certificates, backed by a chain of custody, are how you evidence secure disposal — and how your customers evidence it to their regulator.
Frequently asked questions
Does GDPR require data destruction certificates?
UK GDPR requires you to dispose of personal data securely and to demonstrate it; per-device certificates are how that’s evidenced in practice.
Who is liable if data is recovered after disposal?
The data controller bears the accountability, which is why they need defensible proof from their ITAD provider.
What about the Data (Use and Access) Act 2025?
It sits alongside UK GDPR; the core expectation to dispose securely and prove it remains.
Ready when you are
See WipeTrail on your own kit.
Book a 20-minute demo and we’ll walk the whole flow — collection to certified wipe to resale — and show how fast you could be live before the DWTS deadline.
Book a demo →