What Happens to Your Old IT Equipment — And Why Most Businesses Get This Wrong

There's a stack of old laptops sitting in a cupboard somewhere in your office right now.

Maybe it's a few. Maybe it's twenty. Maybe it's an entire room of monitors, keyboards, servers, and phones that nobody's touched since the last upgrade cycle. You know you need to do something with them. You just haven't got round to it yet.

This is one of the most common — and most quietly dangerous — situations in business today. Not because old laptops are inherently risky. But because of what happens to the data on them, the legal obligations you may not know you have, and the environmental cost of getting disposal wrong.

Most business owners and office managers I speak to assume IT recycling is straightforward. You call someone, they collect the kit, job done. What they don't realise is that without the right provider, "job done" can mean your company's data ends up somewhere it shouldn't, you're non-compliant with UK law, and you have no proof of what happened to any of it.

This post is about why that matters — and what doing it properly actually looks like.

The Problem Nobody Talks About Until It's Too Late

Let's start with the thing that should concern you most: data.

When a laptop or desktop computer leaves your business, everything that was ever stored on it has the potential to go with it. Emails. Client records. Financial documents. HR files. Passwords. Strategic plans. The entire digital footprint of however long that device was in use.

Deleting files doesn't remove them. Formatting a hard drive doesn't remove them. Even a factory reset, on most devices, doesn't permanently destroy the data — it just removes the index that points to it. With the right software, which is freely available online, deleted files can be recovered from a drive that looks completely blank.

This isn't a theoretical risk. Data breaches from improperly disposed IT equipment happen regularly, and the consequences for businesses can be significant. Under UK GDPR, your business is responsible for the personal data you hold — and that responsibility doesn't end when the device leaves your building. If a hard drive containing customer data ends up in the wrong hands because it wasn't properly wiped before disposal, that's a data breach. And data breaches have to be reported to the ICO, can result in fines, and can do serious damage to your reputation with clients.

The second problem is legal compliance — specifically around e-waste.

Under the WEEE Directive (Waste Electrical and Electronic Equipment Regulations), businesses in the UK have a legal obligation to dispose of electronic equipment through approved channels. You cannot legally put IT equipment in general waste. You cannot send it to landfill. Even donating or giving it away without proper data destruction can create liability.

Most business owners know vaguely that there are rules around this. Very few have a clear process for making sure they're following them. And in the day-to-day running of a business, IT disposal tends to sit at the bottom of the priority list — right up until it becomes urgent.

The third problem is cost and lost value.

Old IT equipment isn't just a liability. In many cases, it's an asset. Working devices — even three or four years old — have resale value. Components have scrap value. Businesses that dispose of IT equipment without a proper process routinely leave money on the table, either by paying for disposal when they could be recovering value, or by missing the residual worth of devices that still work perfectly well.

Put all three together — data risk, legal risk, and lost value — and you start to see why "I'll deal with it eventually" is a more expensive position than it looks.

What IT Recycling Actually Involves

Let me walk through what a proper IT recycling and disposal process looks like — because it's more structured than most people expect, and understanding it helps you ask the right questions when choosing a provider.

Collection and asset logging

The process starts before anything is wiped or recycled. Every device should be logged — make, model, serial number, condition. This creates an asset register that forms the basis of your audit trail. You need to know exactly what left your business, when, and what happened to it. Without this, you have no way of demonstrating compliance if you're ever asked.

A good provider will manage this collection and logging process for you. They'll come to your site, catalogue everything, and provide you with a full inventory before anything moves.

Data destruction

This is the most important part of the process and the one that most casual disposal approaches skip entirely.

There are two primary methods of data destruction:

Overwriting — software-based wiping that writes over every sector of the hard drive multiple times, making the original data unrecoverable. This is the method used when devices are going to be reused or resold, because it leaves the drive intact and functional.

Physical destruction — the drive is shredded, crushed, or degaussed (exposed to a powerful magnetic field that destroys the data). This is used when devices are being recycled for parts or materials, or when overwriting isn't sufficient for the sensitivity of the data involved.

Either way, you should receive a certificate of data destruction — a documented record that specifies which devices were processed, what method was used, and that the data has been permanently and irreversibly destroyed. This certificate is your evidence of compliance. Keep it.

Reuse and refurbishment

Devices that are still in working condition — or can be repaired and brought back to working condition — don't need to be broken down. They can be refurbished, data-wiped, and resold or donated. This is the most environmentally preferable outcome, and it's also where residual value is recovered.

A responsible provider will assess every device and prioritise reuse where possible. You may receive a return on devices that still have market value — which can offset the cost of collection and processing.

Recycling and responsible disposal

Devices that can't be reused are broken down into their component materials. Metals — copper, aluminium, gold, silver — are recovered and fed back into manufacturing supply chains. Plastics are processed separately. Hazardous materials like the mercury in older screens or the lithium in batteries are handled according to environmental regulations.

What should never happen is IT equipment being sent to landfill, exported illegally to developing countries (a known issue in the e-waste industry), or processed by unlicensed operators who don't meet environmental standards.

Documentation and compliance reporting

At the end of the process, you should have a clear paper trail: the asset register, the certificates of data destruction, and confirmation of how each device was processed — reused, recycled, or responsibly disposed of. This documentation is what you'd produce in the event of an ICO inquiry, an audit, or a client asking about your data handling practices.

Why "Just Passing It On" Isn't Good Enough

One of the most common approaches businesses take with old IT equipment is informal redistribution. Staff take home old laptops. Equipment gets donated to local schools or charities. Devices get passed to other businesses.

None of this is inherently wrong — but all of it carries risk if done without proper data destruction first.

The person who takes home the old office laptop might discover, when they plug it in, that the previous user's files are perfectly accessible. The school that receives the donated computers might find client data, HR records, or financial information sitting in the documents folder. The charity that gratefully accepts your old servers might unknowingly inherit a data security problem.

Your legal responsibility for the data on those devices doesn't transfer when you hand over the hardware. It stays with you. If that data is later accessed, exposed, or misused, you're still the organisation that failed to protect it.

Proper data destruction before redistribution eliminates this risk entirely. It means you can donate, sell, or transfer equipment freely — and be confident that nothing of value or sensitivity has gone with it.

The Hidden Cost of Doing Nothing

I want to come back to the cupboard full of old laptops I mentioned at the start. Because for most businesses, the real risk isn't active mishandling. It's passive accumulation.

Equipment builds up. Upgrade cycles happen. Staff leave and their devices go into storage. The server from four years ago gets replaced but nobody quite gets round to decommissioning it properly. The pile grows.

And the longer it sits there, the bigger the problem becomes. Every device in that pile is a potential data breach waiting to happen. Every month it goes unaddressed is another month of non-compliance with your disposal obligations. And every device that ages past the point of resale value is money that's already left the table.

There's also a practical risk that's easy to overlook: if your business is ever involved in legal proceedings, a regulatory inquiry, or a client audit, you may be asked to demonstrate how you handle data — including how you dispose of it. "We keep old laptops in a cupboard and deal with them eventually" is not an answer that inspires confidence.

The cost of getting this right is genuinely low. The cost of getting it wrong — in fines, reputational damage, or lost client trust — can be very high.

What to Look for in an IT Recycling Provider

Not all IT recycling providers are equal. Here's what you should be checking before you hand over your equipment.

Certification

In the UK, the key certification to look for is ISO 27001 — the international standard for information security management. This tells you the provider has systematic processes for handling data securely. You should also look for Cyber Essentials certification and membership of recognised industry bodies.

WEEE compliance is non-negotiable. Your provider should be a registered waste carrier and be able to demonstrate that their downstream processing meets UK environmental regulations.

Certificate of data destruction

Any credible provider will issue a certificate of data destruction for every device processed. If a provider can't or won't provide this, that's a significant red flag. This document is your proof that data was destroyed — without it, you have no way of demonstrating compliance.

Audit trail and asset reporting

You should receive a full report of every asset collected — what it was, its condition, its serial number, and what happened to it. This transparency is what compliance looks like in practice.

UK-based processing

Some IT recycling companies collect equipment in the UK and then export it for processing — sometimes to countries where environmental and data standards are significantly lower. This creates both environmental and data security risks. Confirm that your equipment is processed in the UK by the provider you're contracting with.

Clear value recovery process

A good provider will tell you upfront which of your devices have residual value and what return you can expect. If a provider is vague about this — or offers a flat-fee disposal service without assessing your equipment — you may be leaving money behind.

How MGH Scotland Handles This

MGH Scotland provides IT recycling and asset disposal services for businesses across Scotland — from small offices clearing out a handful of old devices to larger organisations managing full hardware refresh cycles.

The process is straightforward. We come to you, catalogue your equipment, and handle everything from collection through to certified data destruction and responsible recycling or refurbishment. You get a full asset report, certificates of data destruction for every device, and a clear picture of how your equipment was processed.

For devices that still have value, we recover it — which often means the service costs you less than you'd expect, and in some cases returns money to your business.

For devices that are at end of life, we ensure they're processed in compliance with WEEE regulations, with no risk of data exposure and no equipment going to landfill.

The documentation you receive at the end of the process is your compliance record — the evidence that your business handled its IT disposal properly, completely, and in line with its legal obligations under UK GDPR and the WEEE Directive.

The Simple Version

If you've read this far and want the short version, here it is.

Your old IT equipment contains data you're legally responsible for. Deletion isn't data destruction. Putting it in a cupboard and hoping for the best is not a compliance strategy. And there's a reasonable chance the equipment you're sitting on has more value than you think.

Getting this right doesn't require a lot of time or effort on your part. It requires a provider with the right certifications, the right processes, and the documentation to prove it.

MGH Scotland handles all of it. If you've got equipment that needs to be dealt with — whether it's five laptops or five hundred — get in touch and we'll tell you exactly what the process looks like and what you can expect.

Because the one thing that's certain is that the pile in the cupboard isn't getting smaller on its own.