GDPR Compliance When Disposing Of Old Company Tech
Professional Security, Tuesday, March 24th, 2026
Teams prioritise performance gains, enhanced security and operational continuity. Yet while attention shifts to the future, less thought is given to what happens to the devices being retired, even though older hardware may still contain recoverable information.
Research suggests this is a larger issue than many businesses realise. A study by the University of Hertfordshire's Cyber Security Centre found that 65 per cent of discarded devices still contained recoverable data, illustrating how sensitive information can persist long after equipment is considered redundant.
For businesses, this presents a material GDPR risk. Laptops, servers and mobile devices that are decommissioned without proper sanitisation may still hold personal data. If that data can be recovered, organisations may struggle to demonstrate that appropriate safeguards were in place, even where disposal was routine and well intentioned.