Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
How Regulations, AI, and ESG are Changing Enterprise Data Disposition
But what gets less airtime—yet is just as crucial—is how you say goodbye to data. Since the introduction of GDPR in 2018, and similar data protection regulations around the world, there’s been a stronger focus on data minimization, deletion, and erasure—and for good reason. Beyond the need to stay compliant with regulation, why keep data hanging around if it’s just going to turn into a liability, leak risk, or cost center?
Meanwhile, the compliance beast keeps growing. Every year brings new privacy and data protection rules, particularly for businesses that operate in more than one country. Add AI breakthroughs, economic jitters, and new storage technology into the mix, and suddenly, the end of your data’s lifecycle demands a closer look at how you handle its final disposition.
Let’s not forget e-waste. New sustainability mandates and ESG reporting requirements loom large, spurring IT leaders to rethink how they retire both data and the energy-hungry, raw materials-dependent hardware it lives on. Voluminous data collection and processing requires us to question how businesses manage growing data storage needs in light of escalating CO2 generation.
Based on the responses of 2,000 IT and sustainability leaders from around the globe, this report unpacks how some of the world’s largest organizations are navigating these pressures. From regularly scrubbing terabytes at end-of-life each year to hitting regulatory and environmental targets, they’re showing that secure data disposition isn’t just a box to check—it’s a key part of any business’s compliance, AI adoption, and security strategy.
Globally, 144 countries now enforce data privacy and protection laws, many with serious implications for end-of-life (EOL) data management and real financial teeth for noncompliance. Adding to this fragmented picture, 20 U.S. states have rolled out their own comprehensive privacy laws in the absence of a unified, federal approach.It’s no surprise, then, that regulatory changes had the most notable impact on businesses’ data disposition behavior.
While beating out sustainability, IoT, tech changes, and changes in data sanitization standards, changes in data regulations were felt less keenly in France, Japan, and Australia, but more in the US, UK, Singapore, and India. Sustainability is the second biggest factor, most notably in the UK.
2024 also brought a wave of hardware churn: The looming end of Windows 10 support has nudged many to refresh aging devices in favor of more secure, Windows 11-ready hardware.
AI and IoT have joined forces, driving smarter data collection and, inevitably, even more data to manage. Generative AI—turbocharged by ChatGPT’s 2022 debut—has become the obsession of boardrooms and IT teams alike. That interest sparked enterprise-wide adoption and pushed upgrades across infrastructure, data centers, and employee devices. With AI collecting more data, legislative bodies from the EU to Cameroon have added AI-specific acts. As businesses embrace AI, they’ll also face additional data regulation requirements.
Most organizations also want to be as sustainable as they can when getting rid of data or retiring data storage assets. Those who aren’t yet? They’re getting there. This isn’t only driven by altruism, however—tighter ESG reporting rules are designed to drive improvements while sniffing out greenwashing. In this environment, sustainability leaders can find allies within IT to reduce e-waste and emissions, even as AI’s appetite for compute power grows.
International standards organizations are also approaching storage innovation with an eye on sustainability. This year brought updated guidance in ISO/IEC 27040:2024—a global security standard that builds on the IEEE Standard for Sanitizing Storage (IEEE 2883) released in 2022. Together, they promote smarter, more secure sanitization practices that reduce our overreliance on rampant hardware destruction.
Data sanitization is chiefly about one thing: Securing end-of-life data so that it never falls into the wrong hands. Here’s how organizations are doing.
But what happens when sensitive data simply walks out on its own? Globally, within the last three years, 73% of enterprises experienced a data leak. They’re typically accidental, caused by internal teams or processes by mistake, rather than the result of a dramatic attack.
Respondents whose organizations had experienced data breaches or leaks cited phishing attacks as the most prevalent cause (54%). Yet improper network configuration, typically a passive event leading to accidental data exposure, was involved 46% of the time. That’s more than stolen devices (41%), stolen credentials (36%), or ransomware (32%).
In active data environments, both malicious and unintended data exposure is worsened if too much data is available. Data minimization, retention, and destruction policies are critical tools for controlling a sprawling data surface vulnerable to attack or spillage. Yet, on average, our survey showed that less than 21% of data is classified at all. This makes it difficult to properly assign timely data destruction policies to stored data.
And, for end-of-life data storage, there’s still work to be done. For 17% of the respondents, data compromise was caused by redeployed devices or drives that still had sensitive data from prior use.
For C-level executives and other IT leaders responsible for protecting organizational and customer data, responsible, verified data destruction must be part of IT policy and regularly executed processes.
Whether in active networks or on decommissioned drives or devices, getting rid of unnecessary data prevents its theft, loss, and compromise.
Productive AI learning depends on high-quality data—and enough of it to produce meaningful insights. It also demands hardware that can keep up. Even third-party platforms like Copilot often come with minimum device specifications, prompting widespread infrastructure upgrades.
While the energy demands of AI are well known, they’re only part of the problem. One controversial stat claims that every chatbot query for a 100-word response uses half a liter of water. According to a study in Nature, AI could account for up to 5 million metric tons of e-waste by 2030.
While attention often falls on data center strain, the bigger lift for most enterprises is at the endpoint level, where AI-integrated tools like Gemini and Copilot are driving the need for faster, smarter employee devices.
But AI’s impact doesn’t stop at hardware. It also changes the game for data retention and sanitization.
Enterprises must now ensure that the data fueling AI is not only accurate but also privacy compliant, and that end-of-life data is fully sanitized to avoid risk.
This is not a one-way street. AI is having a mixed effect on managing data.
When we asked organizations how AI had affected their policies:
The takeaway? AI is already altering data management dynamics, but the picture isn’t fully formed. As adoption matures, monitoring AI’s compliance and ROT footprint will be essential.
Globally, 58% of enterprises increased spending on data privacy and protection compliance in the past year—by an average of 46%. In North America, that number jumps to 71%. From tightening U.S. privacy laws to global AI oversight, regulatory pressure is growing—and it’s hitting budgets hard.
But it’s not just regulation. Sustainability targets, IoT expansion, cloud migration, and new storage tech are all reshaping end-of-life data strategies. That’s a lot to keep up with.
There’s no single trigger. For most, it’s the accumulation of factors: new rules, new technologies, and mounting expectations around responsible data and hardware disposal. Regulations may lead the charge, but IT and compliance teams also face internal demands for sustainability alignment and smarter asset use.
When it comes to frameworks, most enterprises are juggling a mix: Local data protection laws, cybersecurity guidelines, ESG reporting mandates, and technical sanitization standards. And that patchwork can get messy, especially for multinationals.
IT, security, and compliance leaders need to know what data can be stored and for how long, how it needs to be kept safe, and how both data and the assets that store them should be disposed of when the data is no longer needed or must be deleted.
Most organizations comply with local rules first—like the U.K. GDPR, CCPA, or Singapore’s PDPA—with some also subject to broader frameworks like the EU GDPR. In the U.S., state-level fragmentation continues, with 20 states introducing their own laws in the absence of federal clarity, all while 15% of U.S. businesses are required to comply with EU GDPR rules.
We should note that a tiny number—fewer than 0.5% of respondents—said that they were compliant with no regulation at all. In the U.K., for instance, 31% said they had to comply with U.K. GDPR, 28% comply with EU GDPR, and 30% with the U.K. Data Protection Act, meaning most businesses comply with some form of data protection.
While there is usually no legal requirement to follow specific cybersecurity and data sanitization technical standards, organizations often embed their use in policy. These standards represent best practices that can help keep businesses safe from data breaches and data leaks.
At first glance, it appears that adherence to leading sanitization standards remains low. However, this isn’t necessarily due to negligence. It’s more likely a lag in updating internal policies to reflect newer standards, especially as IT teams juggle broader transformations.
With its focus on newer technologies, we expect IEEE 2883 adoption will gradually increase as it becomes more ingrained in data and asset lifecycle management processes.
As ESG moves up the boardroom agenda, mandatory sustainability reporting is also on the rise
These rules don’t mandate specific actions. Instead, they demand transparency. But in doing so, they put e-waste, emissions, and end-of-life practices under a very public microscope.
Compliance is no longer a check-the-box activity. It’s a strategic, resource-intensive commitment that touches every corner of the enterprise, especially when it comes to how you retire data and devices.
If your data sanitization policies haven’t been updated to reflect frameworks like IEEE 2883 or the realities of AI-era data proliferation, now’s the time. The cost of outdated practices isn’t just regulatory—it’s reputational, financial, and environmental.
But that comfort comes at a cost. It’s not cheap. It’s not green. And in nearly half of cases, it’s also completely avoidable.
Across smartphones, laptops, and data center drives, our survey shows that up to half of all end-of-life assets are destroyed.
What’s worse? A significant share of these devices—up to 47% for data center assets—were still operational at the time of destruction.
That’s wasted value, wasted resources, and wasted ESG potential.
Destroying functional devices costs large enterprises over $1 million every three years. Add another $1.1 million in lost resale value, and you’re looking at serious waste in both budget and environmental impact. Of course, not every item will sell for full market value, but the message is clear: enterprises aren’t getting the most out of their IT investments.
Security concerns are valid, but the truth is, secure reuse is not only possible—it’s often preferable.
Certified data erasure offers the same level of data protection as destruction, but does so earlier and at multiple points in the device lifecycle. This software-based sanitization method has the added benefits of:
There is more than one way to destroy data on end-of-life hardware—some more effective and sustainable than others.
According to the International Data Sanitization Consortium, data sanitization is “is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable,” and includes physical destruction, cryptographic erasure, and data erasure. True software-based data sanitization includes both verification and certification.
Smart devices are the outlier here, with most being factory reset rather than destroyed. This relatively simple procedure means that only 34% of devices are destroyed, far lower than laptops and data center assets. However, factory reset processes are often manual, limiting efficiency, erasure verification, and auditability. Without specialized software, there’s no proof that all data has been eliminated from any device, or if the reset function worked completely.
While the majority of devices and drives are sanitized through certified erasure or physical destruction, 25% of laptops and 19% of data center drives are refurbished without certified erasure.
That gap in best practice is a potential data breach waiting to happen.
Certified erasure is the only way an organization can be sure that a device is ready for reuse and has an audit trail to prove it—often necessary for compliance purposes.
New data sanitization standards, namely IEEE 2883-2022, take a hard look at the security of device reuse and physical destruction.
Taking into account both new data density capabilities and the effectiveness of software-based sanitization methods, IEEE 2883 has deprecated shredding, pulverizing, and crushing as means of data sanitization while encouraging reuse-enabling techniques that provide verifiable proof of data destruction.
In ESG terms, though, every unnecessarily destroyed device is a liability. Regulatory frameworks like CSRD are asking tough questions about emissions and e-waste. Physical destruction without justification is getting harder to defend—both ethically and financially.
The good news is, enterprises don’t need to choose between security and reuse. Certified erasure offers both—and it’s increasingly recognized by standards like IEEE 2883.
For CISOs and sustainability leaders alike, this is low-hanging fruit to reduce e-waste, avoid unnecessary hardware spend, and close off an overlooked leak vector in enterprise IT.
There are several possible triggers for data destruction. There are compliance reasons, such as disposing of data when it is requested or at the end of its allowed retention period. But enterprises shouldn’t only rely on these. They should also remove data when it is no longer needed, or has become ROT (redundant, obsolete, or trivial). We asked enterprises for all of the reasons that trigger data destruction.
Enterprises are being proactive about their data sanitization. The most common trigger for data destruction is when it is ROT, and retention periods and usefulness of data are also used. These are similar concepts, but ROT is the “gold standard.” It means reducing held data to only what is required. This limits an enterprise’s exposure in the case of a data breach or leak and will also help it stay compliant.
This also suggests that more businesses are more compliant with regulation than our results show. That is, they are following the right processes, but perhaps do not do so with reference to the right regulation. By linking these processes to regulation and security frameworks, enterprises can be sure that they are using best practice.
There is room for improvement, however, as only just over half of respondents say they destroy data once it becomes ROT data. As discussed above, around a quarter of devices are being repurposed without certified erasure. Both findings show vulnerabilities in end-of-life data management, unnecessarily leaving data subject to leak or breach.
When asked what triggers a non-scheduled check of data, cyber incidents or breaches are the most common, as we might expect. New regulations and policy checks are less common, but again, that may be expected given these are predictable events that can be prepared for—and perhaps unnecessary for those enterprises that are already removing ROT data.
Almost half of respondents point to data spillage as a trigger, again reinforcing the idea that data leaks are an underreported phenomenon, but it does show that enterprises are at least reacting to the problem.
The upside? Senior leaders are paying attention. C-level involvement at every stage signals that end-of-life data decisions are being treated as strategically vital, not simply handed off. Consistent IT participation also suggests organizations are well-positioned to select and deploy solutions that work with, not against, their existing tech stack.
That said, shared responsibility doesn’t guarantee seamless execution. Multiple stakeholders can lead to gaps unless underpinned by strong, well-communicated policies.
Encouragingly, over half of enterprises report having a policy in place, and another 42% are nearly there. Once those are formalized, 96% of respondents will have a policy in motion. The last 4%? They’re working on it. No one is ignoring the need.
But here’s the rub: Policies can’t be “set and forget.” They must evolve alongside the standards that shape them.
While allowing that some might have been unclear on the differences between NIST SP 800-53, “Security and Privacy Controls” and NIST SP 800-88, “Media Sanitization Guidelines,” it’s troubling that only 37% of the IT and ESG leaders surveyed were aware of the latter, which has grown to be the most globally accepted standard on end-of-life asset sanitization since it was last revised in 2014.
Interestingly, nearly the same percentage (36%) were aware of IEEE 2883, just published in 2022. This standard builds upon the principles of NIST 800-88 but addresses more recent technologies and is especially relevant as organizations upgrade their hardware to accommodate AI and IoT processing. It’s also now further complemented by ISO 27040, the data storage security from the International Organization for Standardization.
Without alignment to these guidance documents, even well-intentioned policies can fall short and default to outdated practices. That’s a problem for data security and ESG alike.
For enterprises serious about security, sustainability, and accountability, it’s time to bring end-of-life data standards into sharper focus.
E-waste is growing fast—and it’s not going unnoticed. In 2022 alone, 62 million metric tons of electronic waste were generated globally, an 82% increase from 2010. Governments are responding: The EU is advancing CSRD reporting requirements, and Australia has introduced mandatory sustainability disclosures for financial markets.
90% of respondents said that sustainability had at least a moderate impact on data disposal.
The message is clear: sustainability is now a core consideration in data disposal strategies. Just 2% of respondents said it had no influence on how they work.
That said, turning intent into impact requires close collaboration—particularly between IT and ESG teams. The good news? That alignment is already happening in many organizations.
Still, a reality check is needed. While policies are promising, fewer respondents feel their current sanitization practices are actually delivering on those environmental commitments.
The most common barriers weren’t philosophical. They were practical:
These are challenges, not dealbreakers—solvable with time, investment, and leadership focus. In contrast, “resistance to change” (10%) and lack of executive buy-in (8%) were only top concerns for a minority, but still signal friction for some.
IT and ESG teams generally agree they’re working well together—but not entirely.
While these numbers are broadly aligned, a gap exists, especially from the ESG side. Why? Visibility and involvement may be key factors. IT teams may underestimate the environmental impact hardware reuse and data minimization can have. More data could help. ESG teams may not feel part of the sanitization decision-making process, which seems to be the case based on buying motions.
One possible cause for concern is that, when we look at responsibilities, environmental and sustainability roles are underrepresented in end-of-life data management. Environmental Impact Officers are rarely at the table when end-of-life data decisions are made. Only 1 in 10 businesses cited them as stakeholders in sanitization planning.
If ESG leaders feel sidelined, alignment will falter. Stronger inclusion and clearer cross-functional communication can help ensure that data sanitization doesn’t just tick boxes, but actively supports sustainability mandates.
The proliferation of AI is only going to increase data acquisition, an issue already reported by some enterprises. At the same time, data protection, privacy, and ESG regulations are being introduced, revised, and used to scrutinize how enterprises are dealing with data. Ensuring good practice now makes it far easier to deal with these changes.
Here’s what smart exits look like in 2025 and the immediate future:
The bottom line? Secure, sustainable data sanitization isn’t a bolt-on activity—it has value for your organization throughout data and asset lifecycles. In 2025, your ability to confidently and cleanly say goodbye to data at the right time is just as important as how you protect it while it’s still in use.
Access the full range of content to discover all of the themes and trends shaping data sanitization right now.