Personal information is stored everywhere – at home, in the workplace and across online systems – and it is routinely copied, moved and accessed in ways that are often invisible

Compliance efforts often prioritise people management over the mechanisms through which data is actually moved and exposed and while this focus is essential, GDPR compliance is not just about how data is handled.

It is also about how devices are managed. Every piece of personal data is accessed, processed, stored, or transmitted through a physical device. If those devices are insecure, lost, outdated, or mismanaged, even the most robust data protection policies can quickly fall apart.

Why Devices Matter as Much as Data

Laptops, tablets, mobile phones, printers, USB drives – and even damaged or retired hardware – can all store sensitive customer, staff and business information. If a device is lost, stolen, shared incorrectly, or fails unexpectedly, personal data can be exposed, potentially putting the business at risk of a GDPR breach and reputational damage.

Some risks are obvious, such as unauthorised access, improper sharing, or devices being reused without secure data removal. Others are less visible. Staff may not fully understand how much information is stored locally on devices, how long it remains there, or how data is automatically synced to cloud services and backups. This lack of visibility increases risk.

Reducing Risk Is About Control, Not Just Content

When it comes to GDPR, reducing device-related risk is less about what data is on a device and more about control of the device itself. Businesses need to know where devices are, who is using them, how they are secured and what happens to them at every stage of their lifecycle.

Maintain Accurate Device Inventories

One of the most effective steps businesses can take is maintaining a clear and accurate inventory of devices. This means knowing:

• What devices are in use
• Who they are assigned to
• Where they are located
• What access they have to systems and data

Data is rarely stored in just one place. It may exist on laptops, external drives, printers, backup systems, or personal devices used for work. Without a clear picture of the devices in circulation, it becomes impossible to respond effectively to a data incident.

Ensure Secure Disposal and Data Wiping

Deleting files or performing a factory reset is not enough to meet GDPR requirements. Personal data can often be recovered unless devices are properly wiped using certified methods.

A common misunderstanding among staff is thinking that deleting files is the same as permanently removing them. Businesses must ensure that devices are securely wiped before being reused, recycled, or disposed of, and that all staff understand the difference. Simply “deleting” data does not remove it from the device, and failing to properly wipe hardware can lead to data breaches long after the device has left active use.

Plan for Damaged or Failed Devices

Devices that are damaged, for example through water damage, physical breakage, or system failure, can still contain recoverable personal data. Staff should not assume that a device being unusable means data is unrecoverable. If these devices are discarded without proper handling, they pose the same risks as lost or stolen equipment.

Clear processes should be in place for managing damaged devices, ensuring data is either securely wiped or destroyed in line with GDPR requirements. This is an often-overlooked risk area, but one that can have serious consequences if not managed correctly.

Losing track of devices or underestimating the risks they pose is a common pitfall that can leave a business falling into a hole of compliance breaches and reputational damage without proper care. The key to staying safe is maintaining clear oversight and retaining control of every device from deployment to disposal, so that data remains protected and risks are minimised.