If you’re planning an office clean-out in the UK.

Old laptops, desktops, drives, network kits, this is the one part people keep getting wrong:

IT asset disposal is a cyber-security event, not a recycling job.

And the timing matters.

On Monday, 5 January 2026, the UK’s National Cyber Security Centre (NCSC) is launching a new “Sanitisation Service Assurance” approach delivered by Cyber Resilience Test Facilities (CRTF).

In simple words: the bar is being raised for how organisations prove data has been properly sanitised when tech leaves their control. (NCSC)

This isn’t just “government stuff.” It’s a signal of where expectations are heading for everyone, especially businesses handling client data, employee data, finance docs, emails, or anything sensitive.

The uncomfortable truth: “we reset it” is not evidence

A factory reset feels like closing the chapter. But it’s not a paper trail, and it’s not always a reliable wipe.

The ICO’s own public guidance is blunt: a quick format or factory reset is typically “deleting” data, not necessarily making it unrecoverable in all situations. (ICO)

And the risk isn’t theoretical. Research that’s often cited in the industry found 42% of second-hand drives examined still contained sensitive data (including some with personally identifiable info). (Blancco)

Also telling: the ICO reported in late 2024 that 29% of UK adults don’t know how to wipe personal info from an old device and that’s consumers. In business, the damage is bigger. (ICO)

What does this mean for businesses in the UK?

If a device leaves your building, you need to answer three questions quickly, supported by clear documentation.

1) Can you prove what you handed over?

At minimum you want a collection record that shows what went, when, and from where (ideally with identifiers/serials).

2) Can you prove what happened to the data?

You want device-level sanitisation evidence (not one generic “certificate” for a van load). The NCSC guidance for erasing devices exists for a reason: organisations need confidence that content (and sometimes malware) is thoroughly wiped. (NCSC)

3) Can you prove the downstream outcome?

If it’s re-used/refurbished, that’s often better for sustainability but only if the data piece is closed properly. If it’s recycled, you want it handled under proper WEEE/duty-of-care expectations. (GOV.UK)

That’s why, at PYCO RENEW LTD, we do not “reset and hope”; every device is logged, sanitised with Blancco (NIST 800-88 Clear), and provide audit-ready documentation, backed by our active ICO registration and Waste Carrier Licence as part of IT asset recovery and disposal operations.

A simple, high-control process (that doesn’t waste your time)

If you’re busy, this is the shortest path that still protects you:

1. Make a rough asset list (even just counts by type)
2. Separate the “high sensitivity” pile (finance machines, HR devices, shared PCs, anything used for client work)
3. Choose the outcome (reuse/redeploy, resale, recycle, or physical destruction for certain drives)
4. Demand two outputs:
   • Collection note (what left your site)
   • Sanitisation report (what happened to the data)

That’s it. Those two documents are the difference between “we think it’s fine” and “we can prove it’s fine.”

Why the NCSC change is your early warning

Most organisations only take disposal seriously after something embarrassing happens, like a drive showing up somewhere it shouldn’t.

The NCSC’s move to launch a new sanitisation assurance approach on 5 January 2026 is basically the government saying: expect more structure, more evaluation, more assurance. (NCSC)

Even if you never touch government work, the direction is clear: buyers will increasingly ask for stronger proof especially in regulated sectors, public sector supply chains, education, healthcare, finance, and any business that stores customer data.

If you have a cupboard of old IT right now:

• Stop storing it loosely. Put it in one locked place.
• Don’t donate it casually. Donation without proof is where problems start.
• Pick one disposal day. Ad-hoc disposal creates record gaps.
• Ask for reports upfront. If they hesitate, move on.

PYCO RENEW LTD helps UK organisations manage IT asset disposal and IT asset recovery with secure collection, sanitisation evidence, and documented outcomes so businesses can clear out old tech without leaving a data trail behind.