Destroying corporate smartphones and tablets: beyond the factory reset
At every end-of-lease or refresh moment a batch of corporate devices comes back to IT. Smartphones, tablets, sometimes wearables. The refurbisher gladly accepts them in exchange for a residual value. For most organisations that is the standard route, provided sufficient sanitisation up front. For some sectors or data classes, sanitisation is not enough and physical destruction belongs in the mix. This article puts the choice on the table.
What is on a corporate smartphone?
- Email archive via Exchange or Gmail link, with customer correspondence and internal discussions.
- Customer contacts and calendar from the organisation's directory.
- Photos taken for work: damage reports, product inventory, on-site observations.
- Authentication apps with cryptographic keys to corporate systems.
- VPN clients with persistent credentials.
- Documents and notebooks in OneNote, Notes, Dropbox.
- Cache of CRM and BI tools that hold business data locally.
- Locally scanned documents via apps such as Adobe Scan.
A corporate device often carries more sensitive data than a laptop with proper DLP policy: laptops are more often encrypted and monitored, phones tend to rely on a single device PIN and local storage.
Factory reset: what it does and does not do
The factory reset on iOS and Android performs a hardware-level wipe: the encryption key is destroyed, making the encrypted data effectively random. This is a form of cryptographic erasure (NIST 800-88 Purge):
- Works on modern devices (iOS 7+, Android 6+) where full-disk encryption is standard.
- Not reliable on older devices (Android < 6 without full disk encryption).
- Requires the device to be functional and to carry out the reset command.
- No external evidential trail; no certificate.
For most organisations a factory reset with BYOD policy, eDiscovery exclusion and MDM de-enrolment is sufficient. Data is practically inaccessible, the device can be reused, and the circle closes better from a sustainability angle than destruction.
When does factory reset fall short?
- The device is defective and cannot perform the reset. Screen broken, battery dead, bricked: no reset possible.
- Sectors with elevated requirements. Defence, certain care institutions, lawyers with professional secrecy obligations.
- Audit narrative must be provably physical. Some contracts with business customers require a destruction certificate per device.
- Pre-2015 devices without full encryption: factory reset is less reliable here.
- Risk of a refurbisher that does not sanitise. Cheap refurbishers on unknown foreign routes offer no certainty.
Physical destruction: how
A mobile E-shredder reduces a smartphone to particles of a few millimetres. The NAND chips, the battery and the housing end up in the same output. DIN 66399 E-classification:
- E-3: particles < 160 mm². Suitable for general corporate devices without special personal data.
- E-4: < 30 mm². Standard for corporate smartphones with customer data.
- E-5: < 10 mm². For legal, healthcare, financial with special data.
- E-6: < 1 mm². Defence and intelligence level.
For virtually all commercial SME use cases, E-4 is sufficient. For regulated industries, E-5.
Batteries: a separate step
A lithium battery in a shredder is a fire risk. Responsible providers remove the battery before shredding, or use a closed shredder that can suppress fire. Our process is in two steps:
- Remove the battery (manually or via automatic separator).
- Dispose of batteries separately via Stibat or a comparable collector.
- Run the housing and chips through the E-shredder.
Read also what does not belong in the paper bin for the battery route.
Refurbisher or shredder?
The trade-off:
| Aspect | Refurbisher | Shredder |
|---|---|---|
| Residual value | Yes, 50 to 200 euro per device | None |
| Sanitisation evidence | Statement from refurbisher | Destruction certificate per device |
| Sustainability | Highest (reuse) | Material recycling |
| Audit acceptance | Acceptable if supplier trustworthy | Undisputed |
| Risk | Refurbisher carelessness | None |
Hybrid: refurbisher for what is suitable, shredder for the rest
Many customers choose a hybrid approach: functional devices to the refurbisher (with a tight contract on sanitisation), defective and sector-specific devices to the shredder. That optimises residual value and risk.
For IT managed service providers handling this for clients, read our article on IT asset disposal for MSP clients.
What belongs on the certificate?
- Date, location, method (E-4 or E-5).
- Number of devices per type (smartphone, tablet, wearable).
- IMEI or serial number per device, where known.
- Operator signature.
- Destination of residue (metal and plastic recycling streams).
For general certificate requirements, see our article on the certificate of destruction.
On-site destruction of smartphones and tablets, with IMEI list.
We come by with a mobile E-shredder, destroy to DIN E-4 or E-5, and deliver a certificate with an IMEI list. Batteries disposed of separately.
Request a quoteA batch of end-of-lease devices? Email us via desnipperaar.nl with quantity and type; we schedule an on-site mobile run.