ADISA certification matters because businesses that process used devices need a reliable way to manage data risk before those devices are reused, resold, recycled or disposed of. A phone, tablet or IT asset may look empty after a reset, but that does not prove that personal data has been handled properly.

This guide explains what ADISA certification is, why it matters for data erasure, and how it helps recyclers, refurbishers, ITAD providers and trade-in teams think more clearly about secure device processing. It also explains how MobiCode supports mobile data erasure workflows through MobiWIPE, MobiONE and connected device records.

For businesses handling second-hand devices, data erasure is not just an IT task. It is a customer trust issue, a compliance issue and a commercial risk issue. If a device leaves the business with personal data still present, the consequences can include complaints, contract problems, reputational damage and regulatory concern.

For that reason, businesses need more than informal wiping. They need a process that staff can follow consistently, record clearly and defend if a customer or auditor asks questions later.

What is ADISA certification?

ADISA stands for the Asset Disposal and Information Security Alliance. ADISA Certification provides data protection and quality management certifications for organisations and services involved in data sanitisation, IT asset recovery and secure disposal workflows. ADISA states that its certification work is recognised by the United Kingdom Accreditation Service, and the ICO lists ADISA ICT Asset Recovery Standard 8.0 as an approved UK GDPR certification scheme.

In practical terms, ADISA certification gives businesses a recognised framework for assessing how they protect data when they recover, sanitise, reuse, resell or dispose of IT assets.

Simple definition: ADISA certification gives organisations a recognised framework for data sanitisation and IT asset recovery, helping them show that data-bearing devices move through controlled, audited processes.

What does ADISA have to do with data erasure?

ADISA links closely to data erasure because used devices often contain personal or business data. Before a phone, tablet, laptop or other asset can be reused or resold, the organisation handling it needs to remove that data properly.

The ICO describes the ADISA ICT Asset Recovery Standard as setting data protection requirements for processors or sub-processors that provide data sanitisation services. In other words, the standard focuses on the part of the asset recovery process where organisations remove information from IT hardware so that the asset can move into secure disposal or reuse.

For mobile device businesses, the principle is straightforward: if you process devices that may contain personal data, your erasure process needs to go beyond a casual reset.

Why ADISA certification matters for recyclers and refurbishers

Recyclers and refurbishers often process devices from consumers, businesses, networks, insurers, retailers and trade-in schemes. These devices may contain personal data, business data, account information, messages, photos, documents or app data.

ADISA certification matters because it supports a more disciplined approach to data handling. It helps businesses think about:

  • how staff receive and identify devices
  • how the business controls data-bearing assets
  • how teams carry out erasure or sanitisation
  • how operators handle failed or uncertain results
  • how the business records evidence
  • how customers can gain confidence in the process

For a recycling or refurbishment business, this can make the difference between a vague “we reset the phone” process and a clearer, more defensible data erasure workflow.

ADISA certification and GDPR: what is the link?

UK GDPR requires organisations to handle personal data securely and responsibly. It does not simply ask whether a device looks clean. It asks whether the organisation has protected personal data appropriately during processing.

ADISA describes ICT Asset Recovery Standard 8.0 as tailored to UK GDPR, and the ICO lists it as an approved UK GDPR certification scheme. The ICO’s register also explains that the standard sets data protection requirements for processors and sub-processors that provide data sanitisation services.

That does not mean a business can ignore its wider GDPR responsibilities. However, ADISA certification can help organisations demonstrate that they manage the data sanitisation part of device processing within a recognised framework.

What is data sanitisation?

Data sanitisation means permanently removing or destroying data from a device or storage medium so that people cannot access the information through normal recovery routes. In commercial device processing, this may involve software erasure, verification, reporting and a separate route for failed or damaged devices.

For used phones, data sanitisation matters because handsets can contain:

  • photos and videos
  • messages and emails
  • contacts and call history
  • business documents
  • app data
  • account information
  • authentication tokens
  • location and personal records

A factory reset may form part of device preparation. However, professional businesses usually need clearer evidence than that.

Data erasure rule: Do not treat a device as resale-ready until the business can show how the data was removed, whether the result passed, and which handset record the result belongs to.

Does ADISA certification guarantee GDPR compliance?

No certification should be treated as a blanket guarantee that every part of a business is GDPR compliant. GDPR compliance depends on the organisation’s wider processes, contracts, controls, staff behaviour, records and data protection responsibilities.

However, ADISA certification can support GDPR compliance by giving organisations a recognised framework for the data sanitisation part of device processing. That matters when businesses need to show customers, partners or auditors that they take data erasure seriously.

The practical point is this: ADISA certification provides evidence of a structured approach to data sanitisation. It does not replace good data protection governance across the whole business.

Why factory reset is not the same as certified data erasure

A factory reset returns a phone to a default state and removes visible user settings and content from normal use. However, a factory reset does not provide the same business evidence as a controlled data erasure process.

A certified or auditable erasure workflow should answer questions such as:

  • which device did the team process?
  • which identifier did the business use?
  • which erasure process did staff apply?
  • did the process complete successfully?
  • who or what system recorded the result?
  • where is the evidence stored?
  • what happened if the wipe failed?

That evidence matters when devices move through resale, recycling or IT asset disposal workflows.

What should an ADISA-aware erasure workflow include?

An ADISA-aware erasure workflow should focus on control, evidence and repeatability. The exact process depends on the organisation and devices, but a strong workflow usually includes several key steps.

1) Device identity capture

The business should identify the device clearly before wiping. For mobile phones, this usually means capturing the IMEI, serial number, model and other relevant details. Without strong identity capture, the erasure record becomes less useful.

2) Controlled processing

Teams should move devices through a defined process rather than informal staff habits. This reduces inconsistency and makes it easier to show how each device was handled.

3) Data erasure or sanitisation

The erasure process should suit the device type and condition. If a handset cannot move through the normal process, the workflow should route it for review instead of treating it as a pass.

4) Verification of result

The business should know whether erasure passed, failed or could not be completed. Staff should separate failed or uncertain results from resale-ready devices.

5) Evidence and reporting

The team should store the result against the correct device record. Where customers or contracts require it, the business may also need certificates, reports or batch-level evidence.

ADISA certification and secure data erasure workflow for used devices
ADISA certification matters because data erasure needs a controlled workflow, not just a device that appears empty.

Why ADISA matters for customers and partners

Customers and partners may not want to inspect every wipe process themselves. Instead, they need confidence that the provider follows a recognised and auditable approach.

ADISA certification can help provide that confidence because it shows that the organisation treats data sanitisation as part of a wider controlled process. For recyclers, refurbishers and ITAD teams, this can support:

  • customer due diligence
  • contract discussions
  • audit requests
  • risk reviews
  • regulated-sector work
  • internal compliance reporting

In practice, this matters most where the devices come from businesses, public sector organisations, insurers, networks or other customers with formal data protection expectations.

How MobiWIPE fits into mobile data erasure

MobiCode describes MobiWIPE as an ADISA-approved mobile data erasure application for businesses processing used devices. MobiCode also states that MobiWIPE is integrated into its reporting suite and supports simultaneous erasure of multiple handsets.

For recyclers and refurbishers, the important point is not simply that a wipe button exists. The value comes from having a repeatable erasure workflow that links the wipe result to the correct device record.

How MobiCode supports data erasure workflows

MobiCode helps businesses connect mobile data erasure to the wider device processing journey.

  • Mobile data erasure: MobiWIPE supports secure erasure workflows for used mobile devices.
    See: MobiWIPE
  • Accreditation and trust: MobiCode provides information about accreditation and recognised standards.
    See: MobiCode Accreditation
  • Connected processing: MobiONE helps link checks, tests, wipe results and device records in one operational process.
    See: MobiONE
  • Device testing: MobiCode TEST helps teams test devices before resale, repair or further processing.
    See: MobiCode TEST
  • Recycler workflows: MobiCode supports recyclers that need clearer traceability and better processing control.
    See: Solutions for Recyclers

The commercial benefit is clearer control. When a wipe result connects to the device identity, test outcome and final route, the business can show a more complete processing record.

Common mistakes when talking about ADISA certification

ADISA is important, but businesses should describe it carefully. Overclaiming can make content less trustworthy and create confusion for customers.

Common mistakes include:

  • saying certification guarantees all GDPR compliance: it supports compliance, but it does not replace wider governance
  • treating factory reset as certified erasure: they are not the same thing
  • forgetting device records: erasure evidence becomes weaker if it is not tied to the correct handset
  • ignoring failed wipes: failed or uncertain results need a clear route
  • assuming all devices can move through the same process: damaged or locked devices may need different handling

A more accurate approach is to explain certification as part of a wider, controlled data erasure process.

Commercial takeaway: ADISA certification

ADISA certification matters for data erasure because it gives businesses a recognised framework for managing data risk during IT asset recovery and device processing. For recyclers, refurbishers and ITAD teams, it can help demonstrate that data sanitisation follows controlled, auditable processes.

For used mobile devices, the practical lesson is simple: do not rely on appearances or informal resets. Identify the device, run the right erasure process, verify the result and keep evidence against the handset record.

A practical example for a recycler

A recycler receives a batch of business-owned smartphones. The customer needs reassurance that personal and business data will not remain on the devices before resale or recycling. If the recycler simply says “we reset them”, that may not be enough for a serious customer.

A stronger workflow captures each device identity, runs a controlled erasure process, records the result and keeps evidence against the handset record. That gives the customer a clearer basis for trust and gives the recycler a better audit trail if questions arise later.

FAQ: ADISA certification and data erasure

What is ADISA certification?
ADISA certification gives organisations a recognised framework for data protection, data sanitisation and IT asset recovery. It helps businesses show that data-bearing devices move through controlled processes.

What does ADISA stand for?
ADISA stands for the Asset Disposal and Information Security Alliance.

Why does ADISA certification matter for data erasure?
ADISA certification matters because it supports a structured approach to removing data from devices before reuse, resale, recycling or disposal. It can also help customers and partners assess data sanitisation risk.

Does ADISA certification guarantee GDPR compliance?
No certification should be treated as a blanket guarantee of full GDPR compliance. However, the ICO lists ADISA ICT Asset Recovery Standard 8.0 as an approved UK GDPR certification scheme for data sanitisation services.

Is factory reset the same as ADISA-approved erasure?
No. A factory reset clears a device for normal use, but ADISA-approved or certified erasure involves a more controlled process with stronger evidence and verification.

References and Further Reading