Common mistakes organisations make when disposing of IT equipment

Disposing of IT equipment is not just a facilities task or an occasional clear-out. It is a data security decision, a compliance decision, and a reputational decision. Yet many organisations still treat end-of-life laptops, servers, and storage media as low-risk items once they leave the building. That is where problems start.

If your organisation is reviewing how it handles old devices, this guide explains the most common mistakes we see, why they matter, and what good looks like in practice. If you need a compliant route for media destruction, a hard disk drive shredding service is designed to remove the risk at the point it matters most: the data-bearing media.

Why IT disposal goes wrong so often

IT disposal sits between teams. IT owns the devices. Facilities may arrange collections. Finance may control asset write-offs. HR may be involved when leavers return equipment. Procurement may manage supplier relationships. When responsibilities are shared, gaps appear.

Those gaps tend to show up in three places:

• Unclear decisions: people are not sure whether to wipe, reuse, recycle, or destroy.
• Weak controls: devices are stored or transported without a clear chain of custody.
• Missing evidence: the organisation cannot show what happened to each asset and its media.

The mistakes below are common across organisations of all sizes, including those with strong IT teams. The difference is not intent. It is process.

Mistake 1: Assuming “deleted” means “gone”

One of the most persistent misconceptions is that deleting files, emptying the recycle bin, or even reformatting a drive makes data unrecoverable. In reality, much of that activity simply removes the signposts to the data rather than the data itself. Depending on the drive type, the operating system, and what happens next, information can remain recoverable using widely available tools.

This matters because IT equipment rarely contains just one type of data. A single laptop can hold customer records, HR documents, finance exports, cached email, browser passwords, VPN configurations, and authentication tokens. A server drive can contain databases, backups, logs, and snapshots. Even a device that only ran a line-of-business application may still hold credentials and configuration files.

A useful way to think about it is this: if the device was ever used for real work, it probably contains something you would not want to see on the front page of a newspaper.

What to do instead:

• Treat data-bearing media as sensitive by default.
• Use a documented, repeatable disposal process with clear ownership.
• For high-risk media, choose physical destruction so recovery is not an option.

Mistake 2: Relying on factory reset or basic wiping without verification

A factory reset can be helpful for redeployment, but it is not a guarantee of secure sanitisation. The same is true of software wiping when it is applied inconsistently, configured incorrectly, or left unverified.

Common failure points include:

• Wipes that do not complete, but the device is still marked as cleared.
• Incorrect wipe methods for SSDs, where wear levelling can leave remnants.
• Missing secondary storage such as additional internal drives.
• Overlooking removable media including SD cards and USB drives.

The biggest issue is often the absence of evidence. When auditors, clients, or internal governance teams ask “how do we know the data is gone?”, many organisations cannot produce a defensible answer.

HDDs vs SSDs: why the method matters

Hard disk drives (HDDs) and solid-state drives (SSDs) behave differently. HDDs store data magnetically on spinning platters. SSDs store data on flash memory chips and use controller logic to spread writes across cells (wear levelling). That difference matters because a wipe method that is suitable for one may be unreliable for the other.

For SSDs, the safest approach is often to use manufacturer-supported secure erase methods, combined with verification. Even then, organisations may still choose physical destruction for high-risk media because it removes uncertainty.

What to do instead:

• Decide your sanitisation standard based on the sensitivity of the data and the device type.
• Record the method used, who performed it, and when.
• Where you need certainty, use a hard disk drive destruction service that provides a clear, auditable outcome.

Mistake 3: Forgetting that the real risk is the storage media, not the device

When people think “IT equipment”, they picture the whole unit: the laptop, the desktop tower, the server chassis. The risk, however, sits primarily in the storage media: hard disk drives, solid-state drives, tapes, and other data-bearing components.

This is why responsible recycling alone is not enough if it does not include verified media destruction. A device can be recycled in good faith while the drive inside it is still readable.

It is also why organisations sometimes dispose of equipment safely but still suffer incidents. The device may have been collected for recycling, but a drive was removed, stored incorrectly, or sold on.

Common places storage media hides

It is easy to miss media if you do not look for it. Examples include:

• Desktop PCs with more than one internal drive.
• Servers with hot-swap bays, plus internal boot drives.
• Network storage units with multiple disks.
• Photocopiers and MFDs with internal hard drives.
• CCTV and access control systems with local storage.
• Routers, firewalls, and switches with onboard storage or removable cards.

What to do instead:

• Identify which assets contain storage media.
• Remove and track drives as separate items where appropriate.
• Use a documented chain of custody from collection to destruction.

Mistake 4: Breaking the chain of custody during collection and storage

Even if your end method is sound, the process can fail in the middle. The most common weak points are:

• Devices left in corridors, loading bays, or shared storage rooms.
• Unsealed containers or open pallets awaiting collection.
• Collections arranged ad hoc with no named owner.
• Multiple handovers with no record of who had access.

From a risk perspective, the time between “device retired” and “media destroyed” is the danger window. If that window is poorly controlled, you are relying on luck.

What a strong chain of custody looks like

A strong chain of custody is simple, consistent, and easy to audit. It usually includes:

• A named owner for each collection.
• A list of assets and media included in that collection.
• Secure storage until collection.
• Secure transport.
• A clear record of destruction.

What to do instead:

• Store retired equipment in a secure, access-controlled area.
• Use locked containers where feasible.
• Keep an inventory of items awaiting disposal.
• Choose a provider that can demonstrate secure handling and traceability.

Mistake 5: Mixing IT disposal with general waste or office clear-outs

Office moves and clear-outs are busy, high-pressure periods. That is exactly when mistakes happen. Old PCs get stacked with furniture, boxes get labelled vaguely, and equipment ends up in skips, mixed recycling, or donation piles.

This is not just a data risk. It can also create environmental and duty-of-care issues if electrical waste is handled incorrectly.

The hidden cost of “we’ll sort it later”

When IT disposal is bundled into a general clear-out, it becomes harder to answer basic questions:

• Which devices were disposed of?
• Which drives were removed?
• Which items were reused or sold?
• Who approved the decision?

If you cannot answer those questions quickly, you are exposed during audits and client assurance checks.

What to do instead:

• Separate IT disposal into its own workstream during clear-outs.
• Brief staff on what must never go into general waste.
• Use a scheduled collection plan with clear labelling and responsibility.

Mistake 6: Treating compliance as a tick-box exercise

Regulatory expectations and contractual obligations are not satisfied by good intentions. They are satisfied by evidence.

Many organisations can describe what they usually do but cannot show:

• A written disposal policy.
• A record of assets disposed of.
• Proof of destruction.
• A consistent process across sites.

This becomes a problem when you are asked to demonstrate compliance, especially after a client questionnaire, a security review, or an incident.

What evidence usually needs to show

While requirements vary, organisations are often expected to show:

• What was disposed of (asset IDs, serial numbers, quantities).
• When it was collected and by whom.
• What happened to the data-bearing media.
• Confirmation of destruction or sanitisation.
• Retention of records for an agreed period.

What to do instead:

• Document your disposal process and align it with your wider information security controls.
• Keep records that link asset IDs to destruction outcomes.
• Use services that support audit trails and reporting.

Mistake 7: Underestimating the risk of “small” media

Hard drives are obvious, but they are not the only risk. Smaller items can be easier to lose and easier to mishandle:

• USB drives used for transfers
• SD cards used in cameras and devices
• Backup tapes and cartridges
• External drives used for ad hoc backups

These often contain concentrated, high-value data because they are used for exports, backups, and transfers. They also tend to bypass central controls.

Why portable media is often higher risk than you think

Portable media is frequently used for:

• One-off exports of customer data.
• Finance extracts for reporting.
• HR reports.
• Project handovers.
• Backup copies created “just in case”.

Those files can be sensitive, and they may not be encrypted. If the media is lost, it may not be noticed quickly.

What to do instead:

• Include removable media in your disposal policy.
• Maintain a register for high-risk portable storage.
• Use secure destruction for media that cannot be reliably sanitised.

Mistake 8: Choosing a provider based on convenience rather than security

IT disposal providers vary widely. Some focus on recycling logistics. Others focus on data security. The difference matters.

Red flags to watch for include:

• Vague descriptions of how media is handled.
• No clear chain-of-custody process.
• Limited reporting or no certificates.
• Outsourced steps with unclear accountability.

Convenience is important, but it should not come at the expense of control.

Questions worth asking before you book

If you are comparing providers, ask questions that reveal how they operate:

• How are assets and drives tracked from collection to destruction?
• What happens if a device contains more than one drive?
• How is media stored before destruction?
• What documentation do we receive?
• Can you support on-site destruction if required?

What to do instead:

• Ask how items are tracked from collection to destruction.
• Confirm what happens to drives, not just devices.
• Ensure you receive documentation suitable for audits and client assurance.

Mistake 9: Not planning for hybrid working realities

Hybrid working has increased the number of devices outside the office. That changes disposal risk.

Common issues include:

• Devices returned late or not returned at all.
• Staff wiping devices themselves without oversight.
• Old laptops stored in homes for months.

These situations are understandable, but they still need controls.

A simple approach for leavers and refresh cycles

A practical approach often includes:

• A clear return deadline.
• A named contact for returns.
• A standard process for checking devices back in.
• A decision tree: redeploy, wipe and reuse, or destroy.
• A secure path for drives that are not being reused.

What to do instead:

• Create a clear return and disposal process for leavers and refresh cycles.
• Provide staff with simple instructions and a named contact.
• Track devices and media until disposal is complete.

Mistake 10: Leaving disposal until later

When storage rooms fill up with retired equipment, organisations often delay action. The longer items sit, the harder it becomes to maintain accurate records and control access. It also increases the chance that devices are moved, cannibalised for parts, or disposed of informally.

Why delay increases risk

Delays create three predictable problems:

• Inventory drift: what you think you have is not what you actually have.
• Access creep: more people can reach the items over time.
• Informal disposal: someone tries to be helpful and “gets rid of it”.

What to do instead:

• Set regular disposal cycles.
• Keep disposal aligned with refresh programmes.
• Treat retired equipment as sensitive until destruction is confirmed.

A simple checklist for safer IT disposal

Use this as a practical starting point:

• Identify all data-bearing media (HDDs, SSDs, tapes, removable media).
• Decide the correct end method (sanitisation or physical destruction) based on risk.
• Control storage and access while items await collection.
• Maintain an inventory of assets and media.
• Use a secure chain of custody.
• Obtain documentation that supports audits.

A disposal policy template (quick outline)

If you are updating your internal policy, this outline can help:

• Scope: devices covered (laptops, servers, storage, MFDs, CCTV, portable media).
• Roles: who approves disposal, who arranges collection, who records evidence.
• Storage: where retired equipment is kept and how access is controlled.
• Sanitisation: approved methods by media type.
• Destruction: when physical destruction is required.
• Records: what is logged and how long it is retained.
• Exceptions: how urgent disposals are handled.

If you want an approach that removes uncertainty, a hard disk disposal service provides a clear, final outcome for the data-bearing component.

Call us for secure IT media destruction

If your organisation needs a reliable way to dispose of hard drives and other data-bearing media, PaperMountains can help you reduce risk and simplify compliance.

Call 01634 980204 to discuss your requirements, or visit: https://www.papermountains.com/hard-disk-drive-shredding-hdd

---

Keep Me Up To Date

Fill out your email address bellow and we will let you know when another great article like this drops into the PaperMountains Digest and keep you up to date with whats happening at PaperMountains and News from the document management world in general.

---