ICO and FCA Joint Statement on Data Protection: A Reminder That Secure Disposal Matters
The Information Commissioner’s Office (ICO) and Financial Conduct Authority (FCA) have published a joint statement on targeted support and direct marketing (December 2025). While this statement is aimed specifically at financial services firms, it contains principles about personal data handling that apply to any organisation managing customer information.
What Is This Statement About?
The joint statement addresses how authorised financial services firms can offer a new service called “targeted support” — making suggestions to customers based on shared characteristics such as pension drawdown rates or savings levels — while complying with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
The statement forms part of the FCA’s wider Advice Guidance Boundary Review and accompanies policy statement PS25/22, with the new framework expected to take effect from April 2026.
Key Principles for All Organisations
Although the statement focuses on financial services, the underlying data protection principles it reinforces apply to any organisation handling personal information.
Transparency and Lawfulness
Organisations must be transparent about how personal data is used and must have a valid lawful basis for processing it. Customers have an absolute right to object to direct marketing, which must be respected.
Data Minimisation
The statement reminds firms of their obligations under UK GDPR on data minimisation — only collecting and retaining the personal data necessary for the intended purpose.
Respecting Individual Rights
People have the right to be informed about how their data is processed, rights concerning automated decision-making and profiling, and the right to object to direct marketing.
The Connection to Secure Document Disposal
One principle that runs through all data protection guidance is this: responsibility for personal data does not end when it is no longer actively used.
The ICO’s broader guidance makes clear that retaining outdated, unnecessary or excessive personal information increases the risk of data breaches. Under the storage limitation principle of UK GDPR, personal data must not be kept for longer than necessary.
When data is no longer required, it must be disposed of securely. For paper records, this means confidential shredding rather than standard waste disposal.
Why This Matters for Your Organisation
Organisations across all sectors — not just financial services — hold personal data in paper form. This includes:
- Customer correspondence and account records
- Employee personnel files and payroll information
- Marketing lists and campaign materials
- Archived records and historical files
- Legal and contractual documentation
Each of these presents a risk if not managed properly throughout its lifecycle, including at the point of destruction. A data breach involving improperly disposed documents can result in regulatory action, reputational damage, and loss of customer trust.
Demonstrating Accountability
Under UK GDPR, organisations must be able to demonstrate accountability — showing that appropriate steps have been taken to protect personal data and reduce risks associated with retention and disposal.
Using a professional secure shredding service can form part of that evidence. Key elements include:
- A documented chain of custody from collection to destruction
- Staff who are properly vetted (ShredSec operatives are vetted to BS7858 standard)
- A Certificate of Destruction for your compliance records
- Secure methods that prevent data from being reconstructed
Paper Documents Still Present Risk
While much attention is given to electronic records and cyber security, paper documents continue to present significant data protection risks. Customer letters, printed reports, handwritten notes, and archived files all contain personal data that must be protected.
The ICO has taken enforcement action against organisations for failures in physical document security, not just digital breaches. Secure document shredding remains a practical control for organisations seeking to comply with data protection obligations.
How ShredSec Can Help
At ShredSec, we provide confidential shredding services across Suffolk and East Anglia. Whether you need to dispose of old marketing records, archived customer files, or routine confidential waste, we offer:
- Flexible service options: On-site shredding at your premises or off-site destruction at our secure facility
- Vetted staff: All operatives vetted to BS7858 standard
- Fast turnaround: Documents destroyed within 24 hours of collection
- Full accountability: Certificate of Destruction provided for every job
- Regular or one-off services: Scheduled collections or single clearances
Review Your Data Retention Practices
Regulatory statements like this joint ICO/FCA publication serve as a useful prompt to review how your organisation manages personal data — including how it handles end-of-life disposal.
Questions to consider:
- Do you have a data retention policy that specifies how long different types of records are kept?
- Are paper records containing personal data disposed of securely?
- Can you demonstrate accountability if asked by the ICO?
- Are archived records being held longer than necessary?
If you are unsure whether your current arrangements meet modern standards, now is a good time to assess your approach to secure data destruction.
Contact ShredSec to discuss your requirements.
Published: December 2025
This article discusses the ICO and FCA joint statement on targeted support and direct marketing published on 11 December 2025. The statement is aimed at financial services firms but contains data protection principles relevant to all organisations. Read the full statement on the ICO website.
Contact Shredsec to discuss your shredding requirements.