The IT asset disposal rules Indian companies keep getting wrong
Table of contents
- What IT asset disposal actually means under Indian law
- The four laws that govern IT asset disposal in India
- Why “format and sell” is not compliant disposal
- A 6-step ITAD compliance checklist
- What certified data destruction looks like
- The real cost of doing ITAD wrong
- Arjun’s take
- FAQ
What IT asset disposal actually means under Indian law
IT asset disposal in India is the process of retiring, destroying data on, and recycling or reselling company-owned hardware in compliance with environmental, data protection, and tax regulations. Get any one of those three legs wrong and you face penalties ranging from ₹1 lakh under e-waste rules to ₹250 crore under the DPDP Act.
Most companies I work with treat disposal as a weekend project. Someone from admin calls a scrap dealer in Saki Naka, negotiates ₹200 per laptop, loads everything into a Tata Ace, and calls it done. No certificate of destruction. No data wipe verification. No CPCB Form 6.
That is not disposal. That is a compliance incident waiting to happen.
The four laws that govern IT asset disposal in India
Indian IT asset disposal sits at the intersection of four separate regulations. Missing even one creates liability.
1. E-Waste (Management) Rules, 2022
Published by the Ministry of Environment, Forest and Climate Change (MoEFCC). Any company generating more than 100 kg of e-waste per year (roughly 40-50 laptops) must use a CPCB-authorized recycler and file Form 6 annually. Penalties: up to ₹1 lakh per violation plus prosecution under the Environment Protection Act.
2. Digital Personal Data Protection Act, 2023 (DPDP Act)
Section 8(7) requires data fiduciaries to erase personal data once the purpose of processing is fulfilled. Old devices sitting in your storage room with employee records, customer databases, or CRM exports on them violate this section. The penalty ceiling is ₹250 crore. For the full breakdown of what DPDP demands, read our guide on DPDP compliance requires certified data destruction.
3. Companies Act, 2013 (asset register provisions)
Section 128 mandates that every company maintain an asset register. Disposing of a fixed asset (laptops, servers, networking gear) without updating the register and obtaining board/CFO approval is a compliance gap that auditors flag during statutory audits. The write-off must show salvage value, depreciation applied, and method of disposal.
4. Income Tax Act, 1961 (depreciation and capital gains)
Block depreciation at 40% (computers, IT equipment) means a 3-year-old laptop has roughly approx 21.6% of its original value remaining on the books. If you sell it for more than that residual, you trigger short-term capital gains. If you scrap it for zero, you need documentary proof of destruction to claim the full loss.
Why “format and sell” is not compliant disposal
I hear this at least twice a month: “We formatted the drives and sold them to a refurbisher.”
A standard Windows format does not erase data. It marks disk sectors as available. Any ₹3,000 data recovery tool from Amazon can pull back 80-9approx 0% of what was on that drive. I once ran Recuva on a “formatted” laptop that a client had sold to a reseller. We recovered 14,000 files in approx 23 minutes, including an Excel sheet with approx 800 customer phone numbers.
Under the DPDP Act, if those customer records show up in a breach investigation, the original company is liable. Not the reseller. Not the recycler. You.
Compliant data destruction means one of two things: NIST 800-88 certified software wiping (3-pass minimum with verification report) or physical destruction of the storage media (shredding, degaussing, or incineration) by a certified vendor with a certificate of destruction.
There is no third option. “But we removed the hard drive” is not an option either, because SSDs retain data in wear-levelled blocks that survive physical removal if not properly wiped.
A 6-step ITAD compliance checklist
| Step | Action | Document produced | Who owns it |
|---|---|---|---|
| 1 | Inventory all devices due for disposal (serial numbers, asset tags, data classification) | Asset disposal register | IT Manager |
| 2 | Get CFO/board approval for write-off with residual value calculation | Board resolution or CFO approval letter | Finance |
| 3 | Classify data sensitivity per DPDP (personal data, sensitive personal data, or none) | Data classification memo | DPO or Compliance |
| 4 | Engage CPCB-authorized recycler with valid Registration Certificate | Vendor agreement + CPCB registration copy | Procurement |
| 5 | Execute certified data destruction (NIST 800-88 wipe OR physical shredding) | Certificate of Destruction per device | Vendor + IT |
| 6 | File Form 6 with CPCB, update asset register, archive all certificates for approx 8 years | CPCB Form 6 receipt + updated fixed asset register | Compliance + Finance |
Skip step 3 and your data ends up in Dharavi with the rest of the e-waste. Skip step 5 and you have no evidence of destruction when the DPDP Board comes asking.
One thing to flag: step 4 costs money. CPCB-authorized recyclers charge ₹150-400 per device for pickup, wipe, and recycling. The scrap dealer charges nothing (and pays you ₹200). The gap between those two numbers is your compliance risk premium. For a 200-device fleet, that is ₹30,000-80,000 per disposal cycle. I have never seen a company where the fine risk was worth saving that amount.
What certified data destruction looks like
There are two paths, and which one you pick depends on whether the device has resale value.
Path A: Software wipe (device will be resold or redeployed)
The vendor runs NIST 800-88 compliant erasure software (Blancco, KillDisk, or equivalent) across every storage medium in the device. The wipe runs a minimum of 3 overwrite passes. After completion, the software generates a per-device verification report with serial number, wipe method, pass count, and result (pass/fail). You keep this report for approx 8 years minimum.
Path B: Physical destruction (device has no resale value or contains highly sensitive data)
The vendor physically shreds, degausses, or incinerates the storage media. You get a certificate of destruction with serial numbers, method used, date, and the vendor’s CPCB registration number. Some vendors let you witness the shredding on-site. I recommend this for any device that held financial data, health records, or Aadhaar-linked datasets.
Both paths produce an auditable paper trail. No paper trail means no proof of IT asset disposal compliance. It is that simple.
The honest trade-off here: Path B destroys resale value entirely. A 3-year-old ThinkPad in working condition can fetch ₹4,000-8,000 in the refurbishment market. If you shred it, that value is gone. For most companies with standard office data, Path A (wipe and resell) makes financial sense. Reserve Path B for the devices that held regulated data.
The real cost of doing ITAD wrong
I ran the numbers on a 200-device IT asset disposal cycle for a logistics company last quarter. The two approaches cost very different amounts:
| Line item | Compliant ITAD | “Scrap dealer” approach |
|---|---|---|
| Data destruction (certified) | ₹60,000 (₹300/device) | ₹0 |
| CPCB recycler fee | ₹20,000 | ₹0 |
| Resale credit (wiped, working devices) | -₹3,20,000 (avg ₹4,000 x 80 resaleable) | -₹40,000 (₹200/unit scrap rate) |
| Form 6 filing + documentation | ₹5,000 (staff time) | ₹0 |
| Compliance risk (DPDP penalty exposure) | ₹0 | Up to ₹250 crore |
| Net cost | -₹2,35,000 (net gain) | -₹40,000 gain + unlimited risk |
The compliant approach actually makes more money because certified wiping preserves resale value. The scrap dealer approach destroys the device to extract metal at ₹200 per unit. This is not a cost-vs-compliance trade-off. Compliant disposal is cheaper.
I walked a manufacturing client through this table last month. Their admin had been sending approx 150 laptops to scrap annually for three years. When we switched them to a Device Lifecycle Management services provider with an embedded ITAD process, they went from losing ₹30,000 per cycle to recovering ₹1.8 lakh.
The real risk is not the e-waste fine. It is employees walking out with data on old devices that were supposed to be wiped but never were. The device sitting in an unlocked cupboard in reception for six months is your biggest exposure point.
For companies managing more than approx 50 devices, an ITAD process is really just the disposal stage in device lifecycle management. You cannot do disposal well in isolation. It connects to procurement, provisioning, refresh cycles, and data classification. If the upstream stages are broken, disposal will be broken too.
Arjun’s take
I have processed disposal for approx 4,000+ devices across pharma, logistics, and BFSI clients in the last two years. The pattern is always the same: companies think disposal is a one-time cleanup event. It is not. It is a recurring operational process that should be baked into your annual IT calendar, right next to license renewals and security audits. Build the process once, run it every March (before audit season), and you will never scramble.
FAQ
Is IT asset disposal mandatory for all companies in India?
Yes, if your company generates more than 100 kg of e-waste per year (roughly 40-50 devices), the E-Waste Management Rules 2022 require you to use a CPCB-authorized recycler and file Form 6. Any company processing personal data must also perform DPDP-compliant data destruction before disposing of devices.
Can I dispose of company laptops by donating them?
Yes, but you must still perform certified data destruction before donation. A factory reset is not sufficient. Run a NIST 800-88 wipe, generate the per-device verification report, and then donate. The donation also needs to be documented in your fixed asset register with the recipient’s details.
How long should I keep disposal certificates?
Minimum approx 8 years. This covers the DPDP Act’s potential lookback period, the Companies Act document retention requirement, and the Income Tax Act’s assessment window. Store digital copies alongside the fixed asset register entry for each device.
What happens if old devices are found with company data after disposal?
Under the DPDP Act, the original data fiduciary (your company) remains liable for any personal data that surfaces from improperly disposed devices. The recycler or reseller is not the liable party. Penalties can reach ₹250 crore depending on the nature and volume of the data breach.
Do I need different disposal processes for different device types?
The data destruction step is the same for all devices (laptops, desktops, servers, phones, tablets, printers with internal storage). The recycling path may differ: CPCB-authorized recyclers handle IT equipment differently from batteries (which fall under Battery Waste Management Rules 2022). Confirm your recycler’s authorization covers all categories in your disposal batch.
Get compliant IT asset disposal for your company
approx 200+ businesses trust Sirius Star for compliant device management. Response within approx 4 hours.
