Data wiping and regulations
Data wiping
Our research has shown that one of the biggest challenges is overcoming risk aversion in data and information security. If you decide to outsource the work of data wiping and refurbishment, this risk is transferred and will provide reassurance that your organisation is compliant and your reputation will be preserved. Make sure your partner has the necessary accreditations and software to undertake data wiping securely.
Good Things Foundation partners with Reconome 
who ensure that all devices collected are managed through a secure chain of custody from start to donation. And all devices are data sanitised with software certified to NIST 800-88. This ensures that all devices are fit for purpose and data free when handled through this process.
If you choose an in-house process, this can be more complicated, but don’t be discouraged!
Wiping or replacing hard drives can be done in-house if you have staff with the technical skills and appropriate software.
Wiping or replacing hard drives may involve expenses for replacement hard drives or data wiping software such as Blancco, Youwipe, or Dban. Data wiping software offers certification for infosec records. Before data wiping, your staff will also need to ensure BIOS locks, MDM software, and user accounts like iCloud are removed.
- Data bearing devices will need to be securely wiped in line with information governance policies and legal requirements/standards (e.g., the NIST 800-88 Standard for Media Sanitisation).
- Partnering with a reputable refurbishment company can be a way of offsetting risk and providing assurance about secure, accredited data wiping processes and legal procedures.
The best strategy is to find the standards that need to be met and work back from there to plan what you will need to do. This is not an exhaustive list but will give you some starting points to consider.
- Speak to your legal and/or Infosec team about what needs to be in place for your organisation.
- Security is extremely important. Think about what your end-to-end will look like, making sure you consider every step in the process. For example, will you need to securely store the devices? Do you have a secure area where you can limit who has access? Put a Data Protection Impact Assessment in place.
- What will your partner do with devices where a drive cannot be erased? Disposing of devices securely via a third party could incur cost.
Case study
Turning surplus tech into opportunity: Reconome
Securely refurbishing and rehoming surplus tech to those who need it most.
Case study
Reconome
“Everyone, regardless of where or to whom they were born, deserves the chance to live a healthy life, access education, pursue a career, and discover their passion. Reconome makes this possible by securely refurbishing and rehoming surplus tech with those who need it most. As the accredited tech partner to Good Things Foundation’s National Device Bank, we meet Ministry of Defence Infosec Enhanced standards and use NIST 800-88-compliant erasure. Certified to ISO 27001 and GDPR-aligned, our turnkey process delivers peace of mind, end-to-end traceability, and measurable ESG and social impact, fully aligned with the IT Reuse for Good Charter and a fairer, greener future.“
Once the devices have had their data securely wiped, new operating systems will be needed on laptops (but not for phones or tablets – once reset these should be ready to reuse). This may incur a cost, especially if you want to provide more advanced OS. You can install a free OS called CloudReady that offers Chromebook features on a laptop, or ChromeOS Flex that comes in the form of a USB drive (these will require some setup). However, if your recipients need to use Microsoft Windows (e.g., if they need the device for education) then these sorts of OS might not be advanced enough. Smartphones and tablets can be set up with pre-loaded apps.
The below table offers information about the different basic Operating Systems available. Costs will depend on how many devices you are refurbishing at one time. You will need to make sure you check when the Operating System no longer be updated by the manufacturer – for example, any devices with Windows 10 OS will no longer be updated beyond 14th October 2025.
| Operating system | Device compatibility |
| Windows 10 | Most PCs and laptops. Check hardware requirements and which version is supported |
| Windows 11 | Most PCs and laptops. Check hardware requirements and which version is supported |
| Linux (Oracle) | Most PCs and laptops. Other distributors of Linux are available |
| Mac OS | Only on Mac devices |
| Chrome OS | Older PCs and Macs |
| Android | Most tablets and phones (Not Apple): Samsung, Google, Pixel |
| iOS | Apple iPhones |
In order to understand what choices you should make in setting up devices, you should make sure you understand the needs of your intended recipients. It will be no good doing all the hard work of collecting and refurbishing, only to discover that no one wants what you are offering!
Case study
Google Windows 10 to Windows 11 Transition
Read more about ChromeOS Flex.
Case study
Google Windows 10 to Windows 11 Transition
“Empower digital inclusion by repurposing aging Windows devices with ChromeOS Flex, offering a secure, fast, and accessible computing experience.
“The remarkable benefit? Just like new Chromebooks, these devices are backed by 10 years of guaranteed updates from their original manufacture date, giving a five-year-old laptop a valuable five more years of secure and supported “second life.” When combined with straightforward not-for-profit licensing for managing these devices, they become dependable, long-term loaners, fostering both digital equity and a sustainable future. This is particularly crucial for any Windows 10 devices that won’t run Windows 11, and will become insecure after October 14th, 2025. Google makes funding available to help not-for-profit organisations get started.“
Legal requirements
If you will be distributing devices to the general public, you will need to ensure that you follow consumer protection guidelines and legislation (e.g., PAT testing of all devices), as well as data protection.
As all organisations are different, models employed tend to be bespoke. Some, for example, employ an ITAD to undertake most of the technical aspects of the refurbishment process while retaining control over the devices and handling collection and/or distribution themselves. You will need to make sure you are clear on who is responsible for what, and that each meets the legal requirements for their part of the process.
Data protection and risk management
Data Protection applies to all processing of personal data (i.e., information about a living person such as their name, phone number, location – this can include images) where the person could be identifiable from the information held. It also applies to sensitive data, including any information about political or religious beliefs, health, sexuality.
Any donated devices could have sensitive or personal data on them, which leaves your organisation open to the risk of data breach that could expose contributors to harm. You must take steps to ensure you are processing data securely, efficiently and legally.
Two important concepts central to the UK General Data Protection Regulation (GDPR) are Data Protection by Design and Data Protection by Default. By design refers to embedding data privacy into the design of procedures and policies from early stages (for example, considering your end-to-end process via a Data Protection Impact Assessment. By default means that any processes should automatically take data protection into account (for example, holding personal data on stored devices for as short a period as possible; ensuring that the fewest number of people possible have potential access to any data on devices during storage).
Conduct a thorough risk assessment that enumerates the potential harms to individuals that your organisation will need to safeguard against. This will differ depending on the type of organisation and the types of data devices may hold – NHS devices may hold highly sensitive health information, and those used in a university or office might have students’ or employees’ personal information whereas corporate devices may hold client information.
If you will be distributing devices to the general public, you will need to ensure that you follow consumer protection guidelines and legislation (e.g., PAT testing of all devices), as well as data protection.
Make sure you speak regularly with whoever in your organisation is responsible for data security
UK government guidance to be aware of in this area:
- UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018
- Electrical Equipment (Safety) Regulations, 2016
- Reusing waste electrical and electronic equipment (WEEE) and components removed from WEEE (2022)