Data Subject Rights Under the Data Protection Act 2018
When you’re running a business that handles personal information—whether that’s employee records, customer details, or supplier invoices—you need to know how the law expects you to manage it. The Data Protection Act 2018 isn’t just another piece of legislation to worry about; it sets out real obligations that affect how you collect, store, and yes, dispose of personal data.
The Act works alongside UK GDPR and is enforced by the Information Commissioner’s Office. What surprises some businesses is that it applies just as much to paper documents as it does to digital files. That stack of old personnel files in the archive room? They’re covered too.
Who counts as a data subject?
A data subject is anyone whose personal information you’re processing. That’s employees, customers, suppliers—basically any identifiable individual. The data itself can be anything from employment contracts and payroll records to handwritten meeting notes or client correspondence. If it identifies a person, it’s in scope.
What rights do people have?
The Act gives individuals several rights over their personal data. Here are the main ones you’ll need to be aware of:
People have the right to know what you’re doing with their information—how you collect it, what you use it for, how long you keep it, and how you’ll dispose of it. Transparency matters here. If someone asks how you destroy confidential documents, you should be able to tell them.
There’s also the right of access through Subject Access Requests. You’ll need to provide copies of what you hold and explain why you’re holding it. The right to rectification means people can get inaccurate information corrected, which seems fair enough.
The “right to be forgotten”—formally called the right to erasure—is particularly relevant when it comes to document destruction. When someone’s data is no longer needed or they withdraw consent, they can ask for it to be deleted. For paper records, that means secure shredding, not just binning it.
Other rights include restricting how data is used in certain situations, moving data between organisations (data portability), and objecting to processing for things like direct marketing. The Act also includes protections around automated decision-making, though that’s more relevant to digital systems.
Why this matters when choosing a shredding company
Here’s the thing: outsourcing your document destruction doesn’t outsource your legal responsibility. You remain the data controller, which means if something goes wrong with how your documents are handled or destroyed, it’s still your problem.
That’s why choosing a shredding provider isn’t just about price. You need someone who understands these obligations and has the processes in place to meet them. The ICO has real teeth—they can investigate and fine organisations that don’t protect personal data properly, and that includes during disposal.
Getting it right
Understanding data subject rights isn’t just about avoiding fines. It’s about showing your customers, employees, and suppliers that you take their privacy seriously. Secure document destruction is part of that picture—it’s the final step in handling data responsibly.
We’ve built our service around these requirements because we know compliance matters. Whether you need regular collections or a one-off purge of old records, we can help you meet your obligations under the Data Protection Act without the headache.
Take a look at our shredding services or get in touch if you’d like to discuss your requirements.
Contact Shredsec to discuss your shredding requirements.