Data Erasure vs Physical Destruction: Which ITAD Method Is Right for Your Organisation?

Every organisation eventually reaches the same point: old IT equipment has to leave the business. It may be part of a refresh project, office move, data centre change, device upgrade, or end-of-life disposal cycle. The real risk is not just getting rid of the hardware. The real risk is what is still stored on it. NIST SP 800-88 Rev. 2, published in September 2025, says media sanitisation should make access to target data infeasible for a given level of effort, and it supersedes Rev. 1 from 2014.

For most businesses, the decision usually comes down to two options: certified data erasure or physical destruction. Both can be valid. Both can be secure. But they are not interchangeable, and choosing the wrong method can either create unnecessary risk or destroy recoverable asset value. The ICO also makes it clear that personal information should be properly deleted before hardware is sold or disposed of so that it cannot be accessed by someone else.

What is certified data erasure?

Certified data erasure is the process of securely sanitising storage media using approved methods so the device can no longer expose the original data, while the asset itself may still remain reusable. NIST SP 800-88r2 identifies sanitisation methods such as clear, purge, and destroy, and includes a sample certificate of sanitisation to support documentation and assurance.

In practical business terms, certified erasure is usually the right choice when the device is still functional, has resale or redeployment value, and there is a clear requirement to prove that data was sanitised before reuse. This is especially relevant for laptops, desktops, servers, and some enterprise storage where the organisation wants security and value recovery. Done properly, erasure supports circular IT practices because working devices can be refurbished, reused, or remarketed instead of being destroyed immediately. UK WEEE guidance is built around reducing landfill and encouraging recovery, reuse, and recycling of electrical equipment and components.

What is physical destruction?

Physical destruction means the media is made unusable by shredding, crushing, degaussing where appropriate, or another destructive process. The ICO notes that physical destruction involves destroying the media so it can no longer be used, and once destroyed the data will not be recoverable except using specialist, expensive equipment. It specifically highlights this as a good destruction method for removable media such as CDs and DVDs.

Physical destruction is often the better option where media is damaged, failed, encrypted status is uncertain, sanitisation cannot be reliably validated, or the data involved is highly sensitive and the organisation’s risk appetite is very low. It is also common where contract terms, sector rules, internal policy, or client expectations demand destruction rather than reuse. For some failed drives and legacy media, destruction is simply the safer and more defensible decision.

So which one should you choose?

The right answer depends on five things.

First, look at data sensitivity. If the asset held confidential client data, regulated information, financial records, legal material, or sensitive internal information, you need stronger assurance and full documentation. Second, look at device condition. If the media still works and can be sanitised and validated, erasure may be suitable. If it is faulty or inaccessible, physical destruction may be the only reliable route. Third, look at reuse value. Destroying a working asset removes any remarketing or redeployment opportunity. Fourth, check compliance and contractual requirements. Fifth, make sure you can evidence the whole process from collection to final outcome. The ICO expects methods of destruction to be covered in policy, equipment awaiting disposal to be held securely, appropriate third-party contracts to be in place, and logs and destruction certificates to support assurance.

The mistake many organisations make

A common mistake is assuming that deleting files, emptying the recycle bin, or resetting a device is enough. It often is not. The ICO warns that electronic systems can retain information in backups or background storage, meaning data may still exist after users think it has been removed. That is why informal deletion is not an ITAD strategy. Secure disposal needs process, validation, and records.

Another mistake is treating all media the same way. SSDs, HDDs, removable media, servers, and specialist devices do not all behave the same in sanitisation workflows. NIST’s guidance is designed to help organisations make practical sanitisation decisions based on media type and information sensitivity, not on guesswork.

What good ITAD looks like

A mature ITAD process should include an asset inventory, chain of custody, secure storage before processing, a clear decision on erasure versus destruction, serial-level reporting, and final certification. Where assets are suitable for reuse, secure erasure can protect data while preserving commercial value and supporting sustainability goals. Where reuse is not appropriate, destruction should be controlled, witnessed where needed, and fully documented. UK WEEE guidance also says reusable equipment should be identified and segregated as early as possible to prevent damage and maximise reuse opportunities, while non-reusable WEEE should be treated to maximise recycling and recovery.

Final word

There is no one-size-fits-all answer. Certified data erasure is often the best option for functioning assets that still have business or resale value. Physical destruction is often the right choice for failed media, highly sensitive data, or environments where maximum assurance is required. The key is not choosing the loudest method. The key is choosing the method that is technically appropriate, risk-aligned, compliant, and fully evidenced.

At NanoSoft, we help organisations make that decision properly. Whether you need secure collection, auditable chain of custody, certified erasure, on-site destruction, or responsible IT asset disposition, the goal is the same: protect the data, protect the business, and handle every asset the right way.