TL;DR: Deleting files isn’t POPIA-safe. Stellenbosch SMEs need verified wipes and a CoDD to prove compliance. We provide a documented chain-of-custody, optional recovery-then-wipe, and lawful e-waste processing—so you can retire hardware without risk.

Technopark SME handing over sealed laptops and external drives for POPIA-safe disposal and certified data wipe in Stellenbosch

Stellenbosch’s Technopark and surrounding business parks run on laptops stuffed with client info, payroll, and IP. When those devices reach end-of-life, POPIA turns “old PCs” into a legal obligation. A misplaced drive or a DIY factory reset that leaves recoverable data can expose you to breach notifications, fines, and reputational harm. This guide shows a safe path: recover what you need, wipe what you don’t, log every hand-off, and finish with a Certificate of Data Destruction (CoDD).

What you’ll learn (quick wins)

How to retire laptops/drives with a documented chain-of-custody.
The difference between delete/reset vs crypto-erase/verified wipe.
How to ask vendors the right questions (and what a valid CoDD must include).
Local, practical steps for Technopark SMEs (including lithium battery handling).

Why deletion/factory reset isn’t enough

Delete ≠ destroy. Deleted files often live on in unallocated space.
Factory reset ≠ wipe. Resets can leave data remnants on SSDs/HDDs.
Drives change owners. Without logs and seals, you can’t prove custody.
POPIA accountability. You must demonstrate appropriate safeguards—paperwork counts.

Safer baseline: cryptographic erase (for self-encrypting SSDs) or a multi-pass verified wipe per your policy, recorded on the CoDD.

Identify the disposal scenarios

Standard refresh: Laptops replaced in a rolling cycle; some user data needs to be archived first.
Damage or theft recovery: Partially functional machines; drives may be removable for wipe/recovery.
Leased or client-owned devices: Proof of wipe must be provided back to the owner.
Incident response: Urgent decommissioning after compromise—priority is containment + verified destruction.

Each scenario benefits from the same backbone: intake → recovery (optional) → verified wipe/destruction → certificate → lawful materials route.

Safe steps (do this in order)

Build an asset list. For each device: model, serial, drive type (HDD/SSD/NVMe), encryption (BitLocker/FileVault), and user/department.
Define data instructions. For each asset, choose: recover (which folders), wipe, or destroy only. Get a signed authorisation (we include this in intake).
Package safely. Laptops shut down, drives in anti-static sleeves, and any loose lithium batteries with taped terminals sealed in separate bags.
Hand-over and seal. At intake we log IDs, apply seals, and note condition/accessories. You receive a copy of the chain-of-custody log.
Recover then wipe (optional). If requested, we image or extract specified data first, deliver it to your nominated secure location, then crypto-erase/verified wipe the source media.
Verification & CoDD. We document method (e.g., SED crypto-erase, NIST pattern), tool/version, verifier initials, date/time, and asset IDs. We issue a CoDD for your records.
Lawful e-waste route. Materials go via E-Waste Disposal Policy streams. Lithium cells are isolated and moved to certified partners.

These steps mirror the HowTo above so your schema remains accurate.

Do-nots (avoid these risks)

Don’t sell or donate laptops without a CoDD-backed wipe.
Don’t “quick format” or rely on a factory reset to meet POPIA.
Don’t throw lithium batteries in general waste—fire hazard and unlawful.
Don’t remove SSDs from damaged machines without anti-static protection and logging.

Time & cost in Stellenbosch (realistic expectations)

Intake & logging: same-day for small batches; next-day for larger lots.
Turnaround: verified wipes typically 24–72 hours depending on capacity/condition; recovery adds time.
Pricing: pay for scope (recovery vs wipe vs destruction), not vague “handling.” Labour is transparent on Standard Fees; media-specific tasks and volumes are quoted per batch.

What makes a CoDD audit-ready?

Asset identifiers (serials/UUIDs/drive IDs).
Method used (crypto-erase vs pattern wipe) + tool/version.
Verifier and date/time stamps.
Disposition (re-use, recycle, or destroy).
Reference to your purchase order/ticket for traceability.

If any of these are missing, you’ll struggle to prove compliance during an audit.

Chain-of-custody: how we minimise risk

Documented intake: IDs, condition notes, seals, and signatures.
Minimal access: technicians act under your written data instructions; no browsing of content beyond the authorised task.
Sealed containers & staging: clear separation between “awaiting wipe,” “wiping,” and “verified” zones.
Proof: a CoDD per batch, plus access to logs if you need them for an audit or client report.

When to stop DIY and call us

Swollen/damaged batteries or devices that heat up—fire risk.
Encrypted drives you can’t unlock (BitLocker/FileVault) but still need data.
Incident response after compromise—containment and verified destruction.
Leased or client-owned assets where paperwork is contractual.

Book help (fast)

FAQs

Q: We deleted company files—why do we still need a wipe?
A: Deletion leaves recoverable remnants. A verified wipe (or crypto-erase) and a CoDD is the defensible finish.

Q: Can you give us a single CoDD for 25 laptops?
A: Yes—batch certificate with an itemised appendix listing each asset’s identifiers and wipe method.

Q: Can you recover user folders first?
A: Absolutely. We can export specified folders, deliver them to your secure share, then wipe and certify.

Q: Do you take old batteries and chargers too?
A: Yes. We isolate lithium cells and route them via our E-Waste Disposal Policy partners.

Q: Do you sign NDAs?
A: Our Privacy (POPIA) terms already enforce minimal access and confidentiality; if your policy requires an additional NDA, we’ll sign it.

Compliance & trust

Updated on 2025-09-22.

Sealed, labelled laptops and SSDs queued for verified wipe with technician signing a chain-of-custody log in a Stellenbosch office