A data-bearing device is any asset that stores data, such as a laptop, phone, drive, or copier, and so needs secure wiping or destruction at disposal.
A data-bearing device is any piece of equipment that stores data - a laptop, phone, server, drive, or office copier - and therefore needs secure wiping or physical destruction before it is sold, donated, returned, or recycled. The category exists because disposal is where data protection most often fails: an asset can leave the building as harmless e-waste while customer records, credentials, and company files are still perfectly readable on it.
What counts as a data-bearing device
The obvious members are laptops, desktops, smartphones, tablets, servers, and loose storage: hard drives, SSDs, USB sticks, memory cards, and backup tapes. The ones that catch organisations out are less obvious:
- Printers and copiers - most office multifunction devices have an internal drive that retains scanned and printed documents.
- Networking equipment - routers, switches, and firewalls hold configurations, credentials, and VPN keys.
- Desk phones and meeting-room kit - call logs, directories, and stored account sign-ins.
- Smart screens and TVs - paired accounts and saved Wi-Fi credentials, unlike plain monitors, which generally store nothing.
- Drives left inside other equipment - the classic failure is a desktop sent for recycling with its drive still fitted.
A useful habit is to flag the device class, not the individual item: every laptop is data-bearing, every cable is not, and edge cases get checked once rather than argued at every disposal.
Why the label matters
Marking an asset as data-bearing changes its disposal path. Non-data equipment can go straight to a recycler under normal e-waste rules. Data-bearing equipment must first be sanitised - and the organisation must be able to show it was. Under the WEEE Directive the recycling obligation is the same either way; the data obligation is extra, and it sits with you, not the recycler.
Disposal: wipe, destroy, and prove it
Three approaches put data beyond recovery: a full software overwrite of the drive, cryptographic erasure where the device encrypts by default, or physical destruction of the media (shredding, or degaussing for magnetic drives). Deleting files or doing a factory reset alone is not reliably any of these.
Whichever route is used, record it at the serial-number level and keep the paperwork - a certificate of destruction from the vendor listing each drive or device destroyed. “We sent a pallet to the recycler” is not evidence; “serial 5CD123 was shredded on this date by this vendor” is.
Tracking data-bearing devices through their lifecycle
You cannot wipe what you cannot find, so the work starts long before disposal: every data-bearing device goes in the register at purchase, and a regular physical inventory count surfaces the drawer of old phones and the cupboard of retired laptops before they wander off. At end of life, the asset record should show who held the device last, when it was sanitised, and where the destruction evidence lives. In AMPthilly, that means retiring the asset with its wipe or destruction certificate attached to the record, where the audit trail keeps the full chain of custody permanently.
Related terms
- Certificate of Destruction - the vendor document proving a device or drive was destroyed
- E-Waste - the disposal stream data-bearing devices enter once sanitised
- WEEE Directive - the EU rules governing electrical equipment disposal
- Audit Trail - the logged history that evidences each device’s disposal
- Physical Inventory Count - the check that finds forgotten devices before they leak