Scandic IT

Blog · Compliance

ITAD and compliance: GDPR, ISO 27001 and your audit trail

When old IT leaves your building, the law still holds you responsible for the data on it. Here is what compliance really asks for, and how to prove you met it.

KH Kasper Horn Nielsen 3 June 2026 9 min read
Devices under test at the diagnostics bench at Scandic IT

Here is the part of IT disposal that catches companies out: handing a device to someone else does not hand over the responsibility. Until the data on that device is properly destroyed, and you can prove it, the law still sees it as yours. That is the heart of ITAD compliance, and it is simpler to get right than most people fear.

This post walks through what the rules actually ask for, and how to build an audit trail that stands up.

The rule that matters most

Under the GDPR, you are not allowed to keep personal data for longer than you need it. This is the storage limitation principle, in Article 5(1)(e). It applies to live systems, and it applies just as much to the data sitting on a laptop you have stopped using.

There is a second principle that does the real work here: accountability. It is not enough to believe the data is gone. You have to be able to show it. Regulators have been clear that verbal assurances from a supplier are not evidence. You need records.

Get this wrong and the penalties are serious. Breaching the basic data principles can bring fines of up to 20 million euros or 4 percent of global turnover, whichever is higher. Data protection authorities have already acted against organisations that sold or passed on old equipment without wiping it first.

Compliance is not about saying the data was destroyed. It is about being able to prove it, device by device, if anyone ever asks.

What “proof” actually means

An auditor or regulator does not want a promise. They want a trail. For ITAD, a strong trail has four parts.

ElementWhat it showsWhy it matters
Asset recordWhich devices left and whenYou cannot prove what you cannot list
Chain of custodyWho held each device, and whenCloses the gap where data goes missing
Erasure or destruction certificateThe data on each device is goneThis is the core evidence
Final outcomeReuse, resale or recyclingShows responsible, traceable disposal

The thread running through all four is the device serial number. When every record ties back to a serial, you can answer the only question that really matters: what happened to that exact machine?

Why certifications matter

This is where standards earn their keep. Two are worth looking for in an ITAD partner.

  • ISO/IEC 27001 is the international standard for information security management. It means a partner has a checked, audited system for keeping data safe, not just good intentions.
  • ISO 9001 is the standard for quality management. It means their process is consistent and repeatable, so you get the same careful handling every time.

The key word is independent. These standards are audited by an outside body, so the claim is verified rather than self-declared. Scandic IT holds both, audited by A3CERT, and you can read more on our security and certifications page.

A certified partner does two things for your own compliance. They handle the data correctly, and they give you the evidence that you handled it correctly. That second part is what protects you.

Fewer hands, less risk

One quiet factor makes a big difference: how many companies touch your devices. Every time a device passes from one party to another, there is a handover where it can go missing and where the trail can break.

A partner who does the whole job in house, from collection through erasure to resale or recycling, keeps the chain short and the trail unbroken. There is one record, one responsible party, and no gap where a device disappears between a broker and a processor. When you are the one who has to prove compliance, a short chain is a real advantage.

A practical compliance checklist

If you want to know whether your IT disposal would survive a closer look, run through this.

  1. Can you list every device that has left your organisation? Make and serial.
  2. Do you have a certificate of erasure or destruction for each one?
  3. Can you show the chain of custody from your building to final disposal?
  4. Is your partner ISO 27001 and 9001 certified, audited by an independent body?
  5. Do you keep the records for as long as your retention policy requires?

If you can answer yes to all five, you are in good shape. A no on any of them is a gap worth closing before it becomes a problem.

The takeaway

ITAD compliance comes down to one idea: you stay responsible for your data until it is provably gone. The way to meet that is not to worry harder, it is to build a simple trail. List the devices, keep a certificate for each, hold an unbroken chain of custody, and work with a certified partner who gives you the evidence. Do that, and an audit becomes a quick conversation instead of a scramble.

If you want your disposal process to be audit-ready, talk to our team and we will show you exactly what your trail would look like.

KH

Written by

Kasper Horn Nielsen

Co-founder & Managing Director, Scandic IT

Kasper leads Scandic IT and has worked in the IT asset industry since the mid-2000s. He writes about data security, compliance and how to get more value out of company hardware.

Keep reading

Talk to the ITAD team

Whatever stage you are at, we can help you recover, secure and get value from your IT assets. Get a clear quote from the team in Aalborg.