The old company computer needs to be retired. Most companies have a simple solution for this: we format the hard drive and return it to electronic waste, or possibly resell it for a fraction of the price to an interested employee. But is this really safe? What consequences could improper data removal have for the company? In the digital age, what has ‘disappeared’ from the screen often still exists in the device’s memory. And this can cost the company both a lot of money and its reputation.
Many managers still believe in a simple scenario: the laptop leaves with the employee, the IT specialist formats the hard drive, and the matter is closed. The problem is that this way of thinking is straight out of the previous decade. Technology has advanced, but awareness has not always kept pace. In an interview with us, Jarosław Dancewicz, CEO of SDR-IT, states outright that technological advances make it very easy to recover such data.
Formatting does not work. Nowadays, with modern technology and systems, there is no problem with recovering data after simply formatting and deleting a hard drive, says Jarosław Dancewicz, president of SDR-IT.
SDR-IT has been professionally removing files and disposing of electronic waste in many industries for over a dozen years. In conversation with us, Dancewicz openly admits that about 80% of the companies his company works with are foreign corporations with branches in Poland. Domestic companies still approach this issue without fully understanding the consequences, and according to Dancewicz, IT departments ‘fight tooth and nail’ to prove that they are capable of deleting data from devices themselves. Meanwhile, the consequences of improperly disposing of files from company equipment can be truly far-reaching.
Secure data deletion. What can this give us?
Miłosz Krzywania, legal advisor and member of the management board at SDR-IT, states bluntly that programmes for recovering data after formatting are available online, even for free. In this situation, no company laptop that has been ‘retired’ can be treated lightly. After all, it is not known exactly where the device will end up after it is thrown away as electronic waste or how an employee will use it at home.
When the GDPR regulations came into force in 2018, companies became interested in the subject of data protection. The problem, however, is that companies protect data when they use it. And there is still no awareness in Poland of what happens when we stop using it, says Miłosz Krzywania, legal advisor and member of the management board at SDR-IT.
Krzywania emphasises that this approach is highly irresponsible. In the era of widespread digitalisation, even refrigerators can collect data, and devices such as phones and laptops can contain 90% of a company’s know-how. Computers and smartphones belonging to CEOs, IT specialists and salespeople contain telephone numbers, addresses, customers’ personal identification numbers and other sensitive data. Of course, the storage of this information should be in accordance with the GDPR, but so should its deletion.
The illusion of security versus the real risk
What is the real risk? Let’s say that an IT specialist deletes data from a laptop by formatting the hard drive, and then one of the employees buys the device. After some time, it turns out that the data of one of the company’s customers has been leaked online. The Data Protection Authority will launch an investigation, which will reveal that the leak came from this laptop.
If both the IT specialist who formatted the hard drive and the employee who purchased the laptop are on standard employment contracts, their maximum financial liability is up to three months’ salary. Meanwhile, the Data Protection Authority can impose fines of millions on companies. In such a situation, even holding two employees liable will not compensate for these losses.
Another issue is transparency. If customer or contractor data does indeed fall into the wrong hands, the CEO cannot tell the UODO that the IT specialist formatted the computer, so everything is fine. This is not a sufficient explanation. The procedure for disposing of data, as well as for storing and administering it, should be transparent. This can be achieved by cooperating with companies that deal with this in a professional manner.
Deleting company data as a security measure
In the case of our interlocutors from SDR-IT, the procedure for permanently deleting data consists of overwriting it with a string of zeros. A company providing this type of service should have specialised software to perform such operations. Of course, overwriting is not everything. Miłosz Krzywania tells us what happens next:
As Miłosz Krzywania, legal advisor and member of the management board at SDR-IT, says:
after deleting the data, we issue a certificate confirming that the data has been deleted. In addition, our software then tests the device or medium and issues a report. It contains all the necessary information: what method of data deletion was used, whether the process was carried out correctly and whether any errors occurred.
There are several ways to delete files, and the method used depends on the type of data. There are so-called ‘shallow’ methods, used in most cases, but when classified or top-secret information is involved, it is recommended to use ‘deep’ methods.
Regardless of the method used, the contractor deleting the data should issue the company with a certificate and a report on the entire process. This way, in the event of a data leak, such documents can be presented to the relevant authorities as proof that the incident was most likely not related to the company. It is a kind of ‘insurance policy’ that means much more than simply declaring that ‘the company’s IT specialist has wiped the disk’.
Removal or disposal of equipment
Of course, that’s not all. In the situation described above, the contractor responsible for data removal becomes the entity responsible for the proper execution of this process. After the company presents the documents, the UODO or another authority turns to the contractor. Miłosz Krzywania says bluntly: ‘We are a shield for the customer.’
What exactly happens to the equipment at the data removal company? It all depends on whether we only want to delete the files and recover the equipment, or whether we want to dispose of the device completely, but in accordance with the regulations. At SDR-IT, in the latter case, the entrepreneur also receives documents related to the entry of the equipment in the Product Database so that, if necessary, they can prove that the device has been disposed of in accordance with the law.
In the case of hard drives, such disposal involves deleting data from the drive or demagnetising it (if possible, mainly with older HDD models) and then putting the device into a shredder. This produces waste measuring a few millimetres, which must also be treated in accordance with the relevant regulations.
Not just phones and laptops. What else collects company data?
This last aspect is particularly important in the context of the BDO regulations in Poland. Companies must report what happens to withdrawn devices. Have they been recycled? Have they been disposed of properly? In the event of an inspection, everything must be transparent. That is why it is worth using the services of a professional company offering data removal and disposal, which will issue documentation after the entire process indicating exactly what happened to the device.
What devices are we talking about? When I talk to the CEO of SDR-IT, he says that, apart from smartphones and laptops, monitors and printers are most often disposed of. The company also destroys landline phones, which are becoming increasingly rare. In 2025, they disposed of over 5,000 of them. Can data leaks also occur with such inconspicuous equipment?
Most large printers found in offices, known as multifunction devices, have hard drives. Virtually every document that is photocopied or printed by such equipment is saved on the hard drive. Some may say that nothing is saved on a landline telephone, but this is also a mistake, because they have a log of calls and numbers – Jarosław Dancewicz, president of SDR-IT.
