2026 State of Data Sanitization Report

Confidence in data sanitization is high—but the reality is more complicated.

Organizations report high levels of assurance in their data sanitization practices, yet their actions suggest a different story.

Based on responses from 1,460 IT, compliance, and sustainability leaders across regulated organizations worldwide, this report examines how organizations are managing data at the end of the asset lifecycle—and where gaps between data security confidence and operational reality remain.

At these stages, IT leaders face competing pressures. Not only do they need to protect sensitive data from getting into the wrong hands, but they must also meet regulatory requirements for data privacy and reporting, manage expectations around e-waste and environmental sustainability, and respond to the ways technology trends impact data volumes and business costs.

Organizations typically navigate these pressures through various forms of data sanitization, the process of making data unrecoverable from storage media. Done correctly, sanitization prevents previously stored data from being accessed from used devices. Depending on the method of sanitization, assets can often be redeployed for additional use.

The good news is, when it comes to removing data from decommissioned assets, many respondents are confident in their sanitization practices. But as organizations use AI to process, gather, and create more data, and as threats become more sophisticated, confidence alone is not enough.

The findings in this report suggest that while organizations believe their processes are effective, their behaviors—ranging from inconsistent sanitization practices to the continued destruction of functional hardware—indicate the presence of real underlying risk as well as uncertainty about whether data has truly been removed.

Perhaps unsurprisingly then, 41% of respondents reported that data privacy and protection regulations were the number one driver behind end-of-life data management changes.

Beyond regulation, changes in data storage technologies, cloud migration, sustainability, and vendor risks are also influencing this stage of data management.

Even while adopting new data management processes, 94% of organizations reported being moderately, very, or extremely confident that their practices render drives and devices free of data before disposal.

There is, however, a conflicting story.

Organizations continue to use inconsistent data sanitization methods at the end of the device lifecycle. Many incorporate approaches that do not produce complete data removal or that do not verify that data has been destroyed. This means some of that confidence may be misplaced.

At the same time, data security anxiety is driving many organizations to physically destroy valuable, still-functional data storage devices—despite a desire to operate more sustainably and a need to manage changing hardware costs.

These behaviors point to a shared issue: uncertainty about whether data has truly been removed and rendered irrecoverable.

There’s good reason for that uncertainty. Poor end-of-life data management can result in data leaks—an unintentional exposure of sensitive information through human error or misconfiguration.

More than a third (38%) of organizations report experiencing a data leak in the past year. While 46% cited improper network configurations, a significant number are linked to data storage assets changing hands.

Notably, 32% of the respondents who experienced a leak attributed it to redeployed drives or devices retaining sensitive data. This suggests that confidence in device decommissioning processes isn’t always translating into effective data protection.

New requirements related to artificial intelligence are also beginning to layer on top of existing data protection obligations, adding further complexity to an already demanding regulatory environment.

As a result, nearly 60% of organizations increased spending related to data privacy and protection compliance compared to the previous year. In some countries, including within the U.K. (74%), U.S. (70%), and Singapore (70%), the percentage is even higher.

On average, organizations reported spending 40% more than in 2024. This is consistent with last year’s report, indicating year-on-year growth in investment.

Regulatory exposure is increasingly multi-layered. Based on a representative set of major data privacy and protection regulations included in this study, organizations are managing multiple overlapping obligations across jurisdictions and industries, rather than a single dominant requirement. This increases operational complexity and raises the stakes for consistent, auditable execution across the data lifecycle.

This is where industry data sanitization standards play a critical role. Standards such as NIST SP 800-88 and IEEE 2883 provide guidance on how to securely and irreversibly remove data from devices.

As technology changes, staying up to date enables organizations to make sure they’re matching the most effective methods to data sensitivity and device types, tying their decommissioning confidence to accepted best practices.

While adoption of newer standards is increasing, legacy approaches remain common. Continued use of older frameworks and destruction-first methodologies suggests that organizations are balancing modern practices with familiar approaches.

While more organizations report malicious data breaches (58%), data leaks—unintentional exposures caused by human error or misconfiguration—remain a significant and persistent risk. Most leaks (46%) are attributed to improper network configurations. However, a substantial proportion are linked to data-bearing assets changing hands.

Notably, 32% of organizations that experienced a leak attribute it to redeployed drives or devices retaining sensitive data. This highlights a critical gap: data is not always fully removed before assets are reused.

Additional leaks are linked to lost (42%) and stolen (25%) devices, which may occur during everyday use or throughout the decommissioning process.

Regional differences are also evident. Redeployment-related leaks are more common in the U.S. (40%) and Australia (41%), and highest in Singapore (45%).

Many of these incidents are preventable. They point to weaknesses in how organizations manage data at the end of the asset lifecycle—particularly when assets leave controlled environments without verified data sanitization.

This ensures data is irreversibly removed and erasure is verified before assets are transported, stored, or redeployed.

However, averaging across all device types, less than a third of organizations have this practice in place.

Other common approaches, such as devices being disconnected from the network, stored locally, and then sent for final dispositioning (36% for laptops and desktop PCs), introduce vulnerability gaps. During this time, data-bearing devices may be lost, stolen, or otherwise leave organizational control before data has been securely removed.

Data destruction can occur later in the process, but not all practices provide the security that regulated enterprises need.

Organizations often use multiple methods across different devices or scenarios. While this may reflect differences in device type or perceived sensitivity, it introduces inconsistency—making it more difficult to ensure that data is fully removed across the enterprise.

This inconsistency helps explain why data leaks persist, even as organizations report high levels of confidence in their data sanitization practices.

There’s also an organizational component. While 89% of organizations report having asset sanitization policies in place, only 61% say those policies are implemented and communicated across the business.

This gap between policy and practice increases the likelihood that data is not handled uniformly as assets move through the lifecycle.

While many credit AI for improving data governance practices such as data classification and defining retention policies, there’s no question that AI adoption is increasing the volume of data organizations generate, process, and store.

That’s also placing additional pressure on device lifecycles.

At the same time, the external environment is shifting. Increased demand for memory and storage is contributing to rising costs for devices and drives. This makes it more difficult for organizations to plan hardware replacement—particularly if devices are being destroyed prematurely to mitigate perceived data risk.

This is leading many risk-averse organizations to destroy more devices than they need to.

However, this approach comes with its own cost.

In many cases, devices are still fully functional at the time of destruction. This applies to 43% of mobile devices, 35% of laptops and desktop PCs, and 44% of data center assets.

While destruction can reduce the risk of data recovery, it is not without limitations. Without rigorous oversight, factors such as chain of custody, tracking, and method effectiveness can introduce residual risk.

Cost and supply dynamics are also making asset refreshes more difficult to plan. With Gartner predicting a combined 130% surge in memory and SSD drive prices by the end of 2026, organizations will need to balance the perceived security benefits of destruction against opportunity costs created by increasing financial and operational pressures.

Functional devices slated for destruction often can be redeployed internally, cascading to other use cases, departments, or personnel that can still excel with less than top-of-the-line technology. This extends device life and value, but only if concerns over data security are sufficiently satisfied.

However, sustainability is often outweighed by security and compliance concerns as well as a need for operational efficiency.

In the U.K., sustainability was a bigger priority, with 48% of organizations factoring it into their decisions.

When asked about barriers to advancing sustainability goals, 56% of organizations cite concerns around data security. This rises to 64% in the U.S. and 63% in Japan.

Legacy systems also play a role, with 53% of organizations reporting that they lack the technology to safely sanitize devices without destruction.

At the same time, only 37% cite lack of senior decision-maker support as a barrier—suggesting that change is not being blocked at the leadership level.

There is also a substantial secondary market within the enterprise space: 51% of respondents that purchased refurbished devices did so to support their organization’s sustainability or ESG goals. Another 48% cited cost savings or affordability as a primary reason for purchasing used IT assets.

This points to an opportunity. Organizations are willing to improve sustainability outcomes but require greater confidence in their data sanitization processes to do so.

Have Questions About Ensuring Data Security and Compliance for Decommissioned Assets?

We’ll be more than happy to share our insights and answer your questions.

Contact Us