Data Erasure Standards for Mobile Devices

Why Data Erasure Is Non-Negotiable

Every mobile device accepted in a buyback or ITAD operation contains personal data — email, contacts, banking apps, photos, corporate application credentials, and biometric data. As the operator processing that device, you are responsible for ensuring that data is irreversibly destroyed before the device leaves your possession.

This obligation exists in law across all six markets where wer.org operates:

• United Kingdom: UK GDPR (retained from EU GDPR) and the Data Protection Act 2018 require that personal data processed under your custody be protected and destroyed securely. ICO guidance specifically addresses data destruction in asset disposal.
• United States: No single federal data erasure law, but NIST SP 800-88 is the federal government's standard, and state breach notification laws (all 50 states) mean that failure to erase data creates significant breach liability exposure.
• Canada: PIPEDA (and provincial equivalents) requires that personal information be destroyed using appropriate safeguards.
• Australia: The Privacy Act 1988 (APP 11) requires entities to take reasonable steps to destroy or de-identify personal information that is no longer needed.
• New Zealand: The Privacy Act 2020 (IPP 9 and IPP 10) requires that personal information be destroyed or made anonymous if no longer needed.
• South Africa: POPIA (Protection of Personal Information Act) requires that personal information be destroyed or deleted as soon as its retention is no longer authorised.

NIST SP 800-88: Guidelines for Media Sanitisation

NIST Special Publication 800-88, "Guidelines for Media Sanitisation," is published by the US National Institute of Standards and Technology and is the most widely referenced data destruction standard for mobile devices. It defines three levels of sanitisation:

• Clear: Overwrite of all addressable storage locations with a specified pattern (typically all zeros or all ones). Protects against basic recovery tools but not advanced forensic methods.
• Purge: Applies techniques that protect against laboratory-level forensic attacks. For mobile devices with NAND flash storage, cryptographic erasure (see below) is the standard Purge method.
• Destroy: Physical destruction of the storage media. Used when a device cannot be sanitised due to damage or specific client requirements.

For most buyback and ITAD operations reselling devices, the target is Purge-level sanitisation — specifically, cryptographic erasure.

Cryptographic Erasure: The Standard for Modern Mobile Devices

Modern smartphones (iOS devices since iPhone 3GS; Android devices since approximately Android 6.0 with full-disk encryption) use hardware-based encryption for all stored data. Cryptographic erasure works by destroying the encryption key — once the key is deleted, all encrypted data on the device is mathematically unrecoverable, even with forensic tools.

iOS: Apple's erase process destroys the encryption keys and wipes all user data. Devices erased via Apple Configurator 2 or iOS device management (MDM) generate a verifiable erasure record. For high-volume ITAD operations, MDM-based erasure at scale is the standard approach.

Android: Android 9 and above support cryptographic erasure via the factory reset process when full-disk or file-based encryption is active (which is mandatory on Android 10 and above for devices launched with Android 10). Older Android devices (pre-Android 6) may not support cryptographic erasure and require overwrite methods.

Factory Reset Is Not the Same as Certified Erasure

This is a critical distinction. A device factory reset using the phone's built-in reset function is not the same as certified data erasure for enterprise ITAD purposes or regulatory compliance:

• Factory reset does not generate an audit-ready certificate confirming the erasure standard used, the device identifier, and the date of erasure
• On older Android devices, factory reset may not activate cryptographic erasure — some pre-Android 6 devices have recoverable data after factory reset using widely available forensic tools
• Factory reset provides no confirmation of the sanitisation level achieved — there is no verification step

Enterprise ITAD clients require a Certificate of Data Destruction per device (or per lot). This certificate documents the device IMEI/serial number, the erasure standard applied, the erasure date, and a verification result. A factory reset cannot produce this. Only certified erasure tools can.

The Blancco Standard

Blancco is the leading commercial data erasure software for mobile devices, used by enterprise ITAD providers globally. Blancco Mobile Diagnostics and Erasure provides device-level erasure certification compliant with NIST 800-88, EU GDPR, and market-specific standards. It generates per-device certificates that document the erasure outcome, standard applied, device identifier, and timestamp — the specific format required by enterprise ITAD audits.

Other certified erasure tools in the market include Certus Mobile (for high-volume Android processing) and Apple Configurator 2 (for iOS at scale in ITAD environments). The right tool depends on your device mix and volume.

Erasure in the Buyback Workflow

The correct position for data erasure in the buyback workflow is immediately after intake and IMEI check, before cosmetic grading. This sequencing ensures:

• No device proceeds through your processing pipeline without erasure having been completed
• The erasure certificate is generated before the grading record — both link to the same device IMEI
• Grading cannot accidentally be completed on an un-erased device that then ships to a buyer

Track erasure status as a mandatory field in your device intake system. A device that has not been erased should not be eligible for grading or listing in your platform.

What Enterprise Clients Require

Enterprise ITAD clients — businesses, public sector organisations, and regulated entities — typically require:

• Certificate of Data Destruction per device (listing IMEI, erasure standard, date, and result)
• Lot-level summary report for all devices in a decommission batch
• Named erasure standard (NIST 800-88, Blancco, or equivalent)
• Where applicable: Proof of R2v3 certification or equivalent that includes data destruction process documentation

Operators who cannot produce these documents cannot win enterprise ITAD contracts. Build certified erasure into your workflow from the first device you process — retrofitting it later means re-processing inventory and losing the audit trail for devices already in the pipeline.