Back to Blog
ITADhow to dispose of old laptopslaptop disposal business UKsecure laptop disposalserver disposal UKITAD UK

How to Dispose of Old Laptops, Computers and Servers: The Complete UK Business Guide

Most UK businesses have a pile of old IT equipment and no clear idea what they are legally required to do with it. Factory reset is not data destruction. The general bin is illegal under WEEE. Donating without wiping is a data breach. Here is the six-step compliant process, what to look for in a vendor, and exactly how much a mistake will cost you.

NNanoSoft Team25 June 20267 min read
How to Dispose of Old Laptops, Computers and Servers: The Complete UK Business Guide

How to Dispose of Old Laptops, Computers and Servers: The Complete UK Business Guide

Most UK businesses have a stack of old devices somewhere. A cupboard of retired laptops. A server that was replaced two years ago and never removed. A box of phones from the last refresh. And most of them have done one of four things: factory reset, general bin, donated to charity, or handed them to a free-collection service with no questions asked. Every one of those four options is either illegal, non-compliant, or both.

This is not a niche compliance concern. Under UK GDPR, the WEEE Regulations 2013 and the Data Protection Act 2018, every UK business has specific legal obligations for how it disposes of IT equipment. The ICO can fine up to £17.5 million or 4% of global turnover for data protection failures. The Environment Agency has unlimited penalty powers for illegal waste disposal. The gap between what most businesses do and what the law requires is one of the most consistent and easily avoided risks in UK business operations.

Here is exactly what the law requires, what the four common mistakes actually cost, and the six-step process every UK business should follow.

Key takeaways

  • Factory reset deletes the directory, not the data. 83% of used drives still hold recoverable data after basic deletion.

  • Putting IT equipment in a general bin or skip is illegal under the WEEE Regulations 2013.

  • Donating or reselling a device without certified data destruction is a data breach.

  • Free collection with no certifications is not a compliant disposal route.

  • The six-step compliant process is straightforward and frequently costs less than businesses expect once value recovery is included.

The four things businesses get wrong

Understanding what not to do is as important as knowing the right process. These four mistakes are the most common, and each carries a different type of risk.

Factory reset or format. A factory reset removes the device's operating system index. It does not overwrite the underlying data. A factory reset or formatting the hard drive is not enough. Modern software tools can still recover the data even after these steps. Industry studies consistently show that around 83% of used drives still yield recoverable data after basic deletion. Under UK GDPR, you must demonstrate that data was appropriately destroyed. A factory reset produces no certificate, no serial-level record and no evidence whatsoever. If the ICO asks for proof of destruction, "we reset it" has no evidential value.

General bin, skip or landfill. IT equipment is classified as Waste Electrical and Electronic Equipment. The WEEE Regulations 2013 cover the disposal of computers and businesses must recycle any old computer where possible to ensure it is disposed of safely and in a way that causes as little harm to the environment as possible. Putting a laptop or server in a general bin or skip is not recycling and not compliant. It breaches your waste duty of care under the Environmental Protection Act 1990, and the Environment Agency has unlimited powers to prosecute businesses that breach it.

Donating or reselling without certified data destruction. Giving a device to a charity or reselling it through eBay with a factory reset and good intentions is a data breach in progress. The charity or buyer receives whatever data was on that device. Under UK GDPR, your responsibility for that data does not end when the device changes hands. If someone recovers client records, financial data or employee information from a donated device, the liability flows back to the organisation that donated it.

Free collection with no certifications. Free collection for businesses is offered by several providers, but the critical question is how data is handled and what documentation is provided. A vendor offering free collection with no ISO 27001 certification, no ADISA membership, no named data destruction standard and no Certificate of Destruction is not providing a compliant disposal service. The service is free because they are profiting from your assets without applying the controls that would slow that process down. Your data leaves with the device and your liability stays with you.

asd2

The six-step compliant disposal process

Step 1: Audit your IT assets before anything moves. Every device that is going to disposal must be listed before it leaves the building. Serial number, device type, assigned user, data classification. This is the master record that the chain of custody and the Certificate of Destruction flow from. Without it, you cannot prove what was disposed of or when.

Step 2: Back up everything you need to keep. Before any device is wiped or collected, copy all data you want to retain to a secure backup destination. Verify the backup works. Once a drive is sanitised to NIST SP 800-88 Rev. 2 Purge standard, the data is gone. There is no recovery. Back up first, verify second, then proceed.

Step 3: Choose a certified ITAD vendor. Organisations need a provider they can defend in an audit, one that protects sensitive data, proves exactly what was destroyed, and disposes of remaining materials responsibly. At a minimum, your vendor must hold ISO 27001 for information security management, ADISA Standard 8.0 for data destruction assurance, and a valid Environment Agency waste carrier licence. Ask for certificate numbers, not logos on a website. From October 2026, they must also be registered on DEFRA's Digital Waste Tracking Service.

Step 4: Arrange certified collection with chain of custody. A compliant collection is not a DPD parcel. A certified ITAD vendor collects your assets with formal chain of custody paperwork that documents the transfer of responsibility from your site to their facility. From this point, every device is tracked by serial number through the destruction process. This is the foundation of the audit trail you need to prove compliant disposal.

Step 5: Data destruction to NIST SP 800-88 Rev. 2 standard. This is the internationally recognised standard for media sanitisation. Purge level is the minimum for any device leaving your organisation. For SSDs, ATA Secure Erase must be applied to reach over-provisioned cells that standard overwrites miss. For failed, damaged or high-sensitivity media, physical destruction is the only appropriate outcome. Every device must be individually verified and logged. This is not a batch process. It is per-device, per-serial-number.

Step 6: Receive your Certificate of Destruction and retain it. The Certificate of Destruction is your proof of compliance. It must name every device by serial number, confirm the destruction method and standard applied, and be signed by the certifying party. A Certificate of Destruction is an official document issued after data-bearing equipment has been securely wiped or destroyed, and it is proof that all sensitive data has been permanently erased, ensuring compliance with data protection laws. Retain this document for a minimum of five years. From Q4 2026, it must also carry a DEFRA Digital Waste Tracking consignment reference.

What about devices that still have value?

Not all IT equipment at end of life is worthless. Asset recovery through certified remarketing can meaningfully offset disposal costs, and for recent-vintage hardware, can move the net cost into credit. A certified ITAD partner assesses every device, identifies what can be responsibly refurbished and resold, and applies that value back to your account. The value recovered from reusable assets at NanoSoft is returned to you, not pocketed.

This is the point where the economics of compliant disposal often surprise businesses. The cost of certified disposal, offset by value recovery on working devices, frequently comes out lower than the headline quote from an uncertified operator. And without any of the liability exposure that comes with the uncertified route.

Five things to check before you choose a vendor

Before you book any collection, ask for these five things in writing. A compliant partner provides them without hesitation.

  1. ISO 27001 and ADISA certification with verifiable certificate numbers.

  2. Valid Environment Agency waste carrier licence.

  3. Confirmation that data destruction is applied to NIST SP 800-88 Rev. 2 as a named standard.

  4. Serial-level Certificate of Destruction per device as a standard deliverable, not an optional extra.

  5. Confirmation of DEFRA Digital Waste Tracking Service registration ahead of the October 2026 mandatory deadline.

If any of these five cannot be confirmed in writing before collection, the vendor is not providing a compliant service.

Retire your IT. Recover its value. Prove it is gone.

NanoSoft provides certified IT asset disposal for UK businesses of all sizes. Free collection for 10 or more devices. Certified data destruction to NIST SP 800-88 Rev. 2. Serial-level Certificate of Destruction for every job. ISO 27001 certified, ADISA accredited, DEFRA DWTS ready. Value recovery on reusable assets returned to you. Contact us today and have your old IT collected, certified and documented within days.

Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK

Tagged:how to dispose of old laptopslaptop disposal business UKsecure laptop disposalserver disposal UKITAD UK
N

NanoSoft Team

Writer at Nanosoft - covering ITAD, data security, and sustainable technology lifecycle management.

Found this useful? Share it.

Work with us

Ready to Dispose of IT Assets Securely?

Our ITAD specialists help you manage end-of-life IT with confidence — from certified data erasure to compliant disposal.