Data Wiping vs Formatting: Why Reformatting a Company Laptop Isn’t Enough

Formatting a laptop, including a full system reformat, does not reliably remove all data and does not on its own satisfy Singapore’s PDPA disposal requirements. Deleted or formatted data can often still be recovered because formatting mainly resets the file system rather than erasing the underlying data. Businesses disposing of company laptops need a documented sanitisation process, not just a reformat.

When a company replaces, resells, or disposes of laptops, the same question comes up in IT and admin teams: can we just reformat the laptop first?

The honest answer depends on what “reformat” actually means, what type of drive is inside the machine, and whether the company needs to show that data was removed properly. For a personal laptop, deleting files or reinstalling Windows might feel like enough. For a business handling customer records, HR files, or financial data, looking empty is not the same as being sanitised, and it is not the same as being compliant.

A simple way to picture the difference: formatting is like throwing a blanket over a messy room before guests arrive. The room looks tidy from the doorway, but the old bills, files, and clutter are still there underneath, just out of sight. Data wiping is closer to actually clearing the room out, so there is nothing left to find whether someone glances in or pulls the blanket back.

What Data Wiping Actually Means

Data wiping, also called data erasure or media sanitisation, is the process of removing data from a storage device so that recovering it becomes infeasible for a normal level of effort.

The current reference standard is NIST Special Publication 800-88 Revision 2, finalised by the US National Institute of Standards and Technology on 26 September 2025. It replaces the 2014 Revision 1 that most older Singapore disposal policies still point to. Revision 2 keeps the same three sanitisation categories as before, Clear, Purge, and Destroy, but shifts the emphasis from a single one-off wipe to running sanitisation as a documented, ongoing programme: identify the device and drive, apply a method appropriate to that media type, verify the result, and record what was done.

That last part is the piece formatting skips entirely. A format has no built-in verification step and produces no record tying a specific drive to a specific outcome.

What Happens When You Delete a File

Deleting a file on Windows does not usually remove it from the drive immediately. The space it occupied is marked as available for reuse, and the actual data can remain until something else overwrites it.

This is why tools exist specifically to recover deleted files, including Microsoft’s own Windows File Recovery utility, which can pull back files removed from the Recycle Bin. If recovery tools can do it, so can anyone else with access to a discarded drive.

Does Formatting Erase All Data?

“Formatting” covers several different operations that are often used interchangeably but do different things:

  • Quick format sets up the file system without writing over the existing data on the drive. It is the fastest option and the least secure.
  • Full format writes across the sectors of the drive, which is more thorough, but Microsoft’s own documentation distinguishes it clearly from a quick format precisely because a quick format does not perform the same operation.
  • Reinstalling Windows or deleting a partition changes what the operating system can see, not necessarily what remains physically on the disk.

Even a full format does not give a business:

  • A record of which specific device and drive were processed
  • Confirmation the correct drive was selected before wiping
  • A recognised sanitisation result (Clear, Purge, or Destroy)
  • Detection of a failed or incomplete wipe
  • An asset-level audit trail tied to a serial number
  • A certificate that can be produced if a customer, auditor, or regulator asks

“Was the laptop formatted?” is not the question that matters for a business. “Was the drive identified, sanitised with an appropriate method, verified, and documented?” is.

Why SSDs Need a Different Approach

Most laptops sold in the last several years use solid-state drives rather than spinning hard disks, and SSDs handle data differently. Many SSDs reserve extra physical capacity, used for wear levelling and performance, that is not directly visible or addressable by the user.

Because of this, a basic overwrite or repeated file-write process may not reach every physical area where data has been stored. NIST 800-88 flags this directly: media with overprovisioned capacity can retain data even after a narrow overwrite process that looks complete from the user’s side. This is one of the reasons Revision 2 leans on method-specific guidance, including cryptographic erase for encrypted drives, rather than a single generic process for every device type.

Is a Factory Reset the Same as Data Wiping?

Not automatically. A factory reset typically restores a device to an earlier software state or removes user accounts and apps, but the strength of that reset varies by manufacturer, operating system, and device generation. Some resets trigger a proper cryptographic erase on an encrypted drive; others mainly clear configuration and leave underlying data intact.

For a business, the practical question is the same as with formatting: can you show which asset was reset, which drive was inside it, which method ran, whether it completed successfully, and what happened to the device afterward? A reset without that trail is a convenience feature, not a compliance record.

What About Dell’s Built-In Data Wipe?

Dell Data Wipe is a real security feature built into the BIOS on supported Dell models, not just a marketing name for reformatting. It tells the drive itself to erase, and Dell reports the result as either Clear or Purge.

Picture a company retiring twenty Dell laptops at once. IT can trigger the wipe from the BIOS menu on each one without booting into Windows, which is fast and convenient. But once it’s done, there is no printout, no certificate, and no central log linking each result to a serial number. If a client or auditor later asks “can you prove laptop X was wiped?” the answer depends entirely on whether someone wrote that down by hand at the time. A certified data wiping service builds that record in automatically for every device, which is the part a business actually needs if it is ever questioned.

Does Formatting Meet PDPA Requirements?

This is the part most “just reformat it” advice skips.

Under the Personal Data Protection Act, the Protection Obligation (Section 24) requires organisations to make reasonable security arrangements to prevent unauthorised access, use, disclosure, copying, modification, or disposal of personal data in their possession. The Retention Limitation Obligation (Section 25) separately requires organisations to stop retaining personal data, or to dispose of it properly, once it is no longer needed for business or legal purposes.

Neither obligation is satisfied by a status of “looks empty.” Since the PDPA’s 2020 amendments, the Personal Data Protection Commission can impose financial penalties of up to SGD 1 million or 10 percent of an organisation’s annual turnover in Singapore, whichever is higher, for a breach of these obligations. If a decommissioned laptop that was only quick-formatted resurfaces with recoverable customer or employee data, the company that disposed of it, not just the vendor, carries that exposure.

A documented sanitisation record, method used, device serial number, date, and verification result, is the practical evidence an organisation would need to show it met the Protection Obligation for retired hardware. That is what a certificate from a data erasure provider is meant to provide, and it is also the kind of record NIST 800-88 Revision 2 now expects as standard practice rather than a nice-to-have.

Formatting vs Data Wiping at a Glance

Formatting (quick or full)Certified data wiping
Removes data from user’s viewYesYes
Guarantees data is unrecoverableNoYes, when method matches media type
Covers SSD overprovisioned areasNot reliablyYes
Produces a per-device audit recordNoYes
Supports a PDPA Protection Obligation defenceNoYes
Suitable before internal reassignmentSometimesYes
Suitable before resale or disposal outside the companyNoYes

Frequently Asked Questions

Does formatting a hard drive delete everything on it? No. A quick format does not overwrite existing data at all, and even a full format may not reach every physical storage area on an SSD due to overprovisioning. Specialised recovery tools can often retrieve data after either type of format.

Is a factory reset enough to sell a used company laptop? Not on its own. A factory reset’s effectiveness depends on the device and whether it triggers a proper cryptographic erase. It also produces no audit trail, which businesses need to demonstrate PDPA compliance.

What is the difference between Clear, Purge, and Destroy under NIST 800-88? Clear uses software commands to overwrite user-addressable storage. Purge applies a stronger technique, such as cryptographic erase or degaussing, that addresses areas Clear cannot reach. Destroy physically disables the media. NIST 800-88 Revision 2, finalised in September 2025, recommends selecting the method based on data sensitivity rather than defaulting to one method for every device.

Can a company be fined in Singapore for reselling a laptop with recoverable data? Yes. This falls under the PDPA’s Protection Obligation. Since 2020, the Personal Data Protection Commission can impose penalties of up to SGD 1 million or 10 percent of annual Singapore turnover, whichever is higher.

What proof should a data wiping vendor provide? A certificate referencing the specific device, its serial number, the sanitisation method used (Clear, Purge, or Destroy), the date, and confirmation the wipe was verified as successful.


If your business is preparing laptops or drives for resale, reassignment, or disposal, formatting is a starting point, not a finishing line. Certified data erasure closes the gap that formatting leaves open, with a verifiable record for each device. For drives that need to be physically destroyed rather than reused, see hard disk degaussing. For a broader look at PDPA disposal obligations, see how to comply with PDPA in Singapore.