Document Destruction Services

Call: 0800 654 6507 Covering Bury St Edmunds, Suffolk and East Anglia

Why Secure Document Destruction Is Central to GDPR Compliance

Why Secure Document Destruction Is Central to GDPR Compliance

Why Secure Document Destruction Is Central to GDPR Compliance

Most businesses put a great deal of thought into how they collect and store personal data. The same cannot be said for how they get rid of it. Document disposal tends to be treated as a tidying-up job rather than a legal obligation, and that attitude has cost organisations real money in ICO fines.

UK GDPR does not stop applying once data has served its purpose. The law requires that personal data is destroyed properly when retention periods expire, and it requires organisations to be able to prove it. This piece sets out what those obligations actually mean for businesses handling paper records, what the ICO has said through its guidance and enforcement decisions, and how professional confidential shredding fits into a defensible compliance framework.

What UK GDPR requires when it comes to document disposal

Article 5 of UK GDPR contains the data protection principles, and three of them apply directly to the disposal of paper records.

The storage limitation principle says personal data should not be kept for longer than is necessary for the purpose it was collected. The ICO’s guidance on this principle is clear: organisations need to set defined retention periods and then act on them. Holding onto paper files indefinitely is a breach of this principle, and so is destroying them without any kind of controlled process.

The integrity and confidentiality principle requires appropriate protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. The ICO’s security guidance confirms this applies to physical and organisational controls as much as it does to cyber security, covering every stage of processing right through to disposal.

The accountability principle requires controllers to comply with the law and to be able to demonstrate that compliance. A business that has no record of what it destroyed, when, who approved it, and how it was carried out will struggle to satisfy this requirement if the ICO comes asking.

Article 32 requires controllers to put in place appropriate technical and organisational measures proportionate to the risk. Article 28 requires a written contract to be in place whenever a third party is used to handle or dispose of personal data, and the controller must be satisfied that the processor offers sufficient guarantees around security before appointing them.

What the ICO expects organisations to do in practice

The ICO’s audit framework on records management and its disposal and deletion toolkit translate those legal obligations into practical expectations. According to this guidance, organisations should:

  • Destroy physical records in line with a documented retention schedule
  • Obtain and record management approval before authorising any destruction
  • Use secure disposal methods such as cross-cut or micro-cut shredding
  • Keep records awaiting destruction in locked areas with restricted access
  • Maintain a log of what is awaiting destruction and where it is held
  • Ensure contracts with third-party shredding providers cover security measures, accountability provisions, and audit rights
  • Check periodically that third-party services are meeting the agreed standard
  • Verify that destruction certificates match the consignment that was actually sent for destruction

That last point is worth dwelling on. A certificate of destruction is not a bureaucratic nicety. It is the primary evidence that personal data was actually destroyed, and it is precisely what the accountability principle demands.

When poor disposal turns into a data breach

Inadequate disposal of personal data is not just a compliance gap. It can cross the line into a reportable personal data breach. The ICO’s incident-type glossary includes “incorrect disposal of paperwork” as a formal category, covering situations where paperwork containing personal data is disposed of without being shredded or securely destroyed.

Under Article 33 of UK GDPR, a notifiable breach must be reported to the ICO without undue delay and, where feasible, within 72 hours of the controller becoming aware of it. Where there is a high risk to individuals, Article 34 requires affected people to be told as well. Failing to notify when required can result in a penalty of up to £8.7 million or 2 per cent of global annual turnover under the lower tier of UK GDPR fines. Individuals can also pursue compensation through the courts for material or non-material damage resulting from a breach of data protection law.

Enforcement cases that illustrate the risk

The ICO’s published enforcement record shows this is not a theoretical concern.

Birthlink (2025). The ICO fined Scottish adoption charity Birthlink £18,000 after approximately 4,800 personal records were destroyed without adequate policies or procedures governing that destruction. The ICO noted that up to ten per cent of those records may have been irreplaceable, and was explicit that basic policies and procedures would likely have prevented the incident.

Hertfordshire County Council. The ICO issued a £60,000 civil monetary penalty after paper documents relating to employee pension records were found in a supermarket recycling bank. The organisation had no controlled disposal process in place.

Aneurin Bevan Health Board. A £70,000 penalty followed the discovery of paper records discarded in a public street. As with the Hertfordshire case, the failure was in disposal controls rather than in how the data was collected or stored.

Taken together, these cases show that the ICO has consistently treated weak paper disposal as a serious regulatory failure over many years, not as a minor administrative oversight.

What good physical destruction looks like

BS EN 15713:2023 is the current British standard for the physical destruction of confidential and sensitive material. Published by the British Standards Institution, it covers collection, storage, transportation, destruction methods, and certification. Importantly, it applies to both on-site destruction using mobile equipment and off-site destruction at a specialist facility, and it is explicitly aligned with GDPR and wider information security expectations.

UK GDPR does not prescribe a single destruction model. It requires a level of security appropriate to the risk, backed by policies, documented controls, and evidence. In practical terms, a compliant process needs:

  • A documented retention schedule with clear destruction triggers
  • Recorded authority for who can approve destruction
  • Secure temporary storage for documents awaiting collection
  • Restricted access to material pending disposal
  • A documented handover to the shredding provider
  • Evidence that the material sent matches what was actually destroyed, in the form of a certificate of destruction

On-site shredding limits the time that intact confidential paper spends in transit, but it still requires secure pre-collection storage and a controlled handover process. Off-site shredding places greater weight on secure transport, chain-of-custody records, contractual obligations, and matching certificates to consignments. Both approaches can fully satisfy GDPR requirements when the surrounding controls are sound.

How a professional shredding service supports compliance

A professional document destruction service does two things for a business. It provides the secure disposal method the law requires, and it generates the evidence that the method was properly carried out.

The ICO expects appropriate contracts with any third party handling personal data, periodic performance checks, and documented evidence of disposal. For organisations managing significant volumes of HR, payroll, legal, or customer records, maintaining those controls in-house consistently is genuinely difficult. Using a specialist provider makes it considerably more straightforward.

Outsourcing confidential waste disposal does not, however, shift accountability away from the controller. Businesses remain primarily responsible for compliance and for demonstrating it. Choosing a shredding provider is a GDPR decision in its own right: Article 28 requires processors to be selected on the basis of sufficient guarantees, and the contract must cover Article 32-level security obligations. The ICO has also noted that certification and codes of conduct can help processors evidence those guarantees.

Shredsec holds certification to BS EN 15713:2023 and provides a certificate of destruction with every collection. All consignments are handled under a documented chain of custody, giving clients the evidential records they need to satisfy the ICO’s accountability requirements. Whether you need a one-off shredding service for a premises clearout or a scheduled regular shredding programme, the compliance controls are consistent throughout.

A practical checklist for businesses

Getting disposal right does not require large investment. It requires a process that is legally timed, operationally consistent, and evidentially documented.

ActionWhy it matters
Map paper record categories and set retention periodsStorage limitation means personal data cannot be kept longer than necessary, and privacy notices must explain how long data will be held
Record who can authorise destruction and keep a destruction logThe ICO expects documented management approval and evidence that records were destroyed in line with schedule
Use secure confidential-waste bins and locked storage areasDocuments awaiting destruction must not be accessible or recoverable before collection
Choose on-site or off-site shredding based on your risk assessmentGDPR is risk-based; BS EN 15713 supports both models when controls are adequate
Carry out due diligence on your shredding provider and sign a written contractArticle 28 requires processors to offer sufficient guarantees, with contracts covering Article 32-level security measures
Match destruction certificates to each consignment and retain them centrallyThis creates the audit trail needed to demonstrate compliance in the event of an ICO enquiry
Train staff and incorporate disposal into your breach response proceduresIncorrect disposal can be a notifiable breach; staff need to know the escalation process and the 72-hour reporting window

The evidence trail is the step organisations most commonly underinvest in. A retention schedule that is never acted on, or a certificate that cannot be matched to a specific consignment, leaves a business unable to answer the questions the ICO will ask if a disposal incident comes to light.

Pulling it together

Document destruction touches three of the most fundamental GDPR principles: storage limitation, security, and accountability. The ICO’s guidance sets out a clear operational model covering retention schedules, secure holding, authorised destruction, appropriate contracts, audit rights, and documented evidence. Its enforcement record confirms this is an area it takes seriously, with fines issued against organisations of all types and sizes.

For businesses that want to get this right, working with a certified confidential shredding provider gives them both the secure disposal process the law requires and the documentation needed to demonstrate it. Get in touch with Shredsec to talk through the options for your organisation.

Contact Shredsec to discuss your shredding requirements.

Ready to Get Started?

Contact us today for a free quote.

Request a Quote