Document Destruction Services

Call: 0800 654 6507 Covering Bury St Edmunds, Suffolk and East Anglia

Why small businesses that overlook confidential waste handling risk serious data breaches and regulatory action in the UK

Why small businesses that overlook confidential waste handling risk serious data breaches and regulatory action in the UK

Why Small Businesses Must Take Confidential Waste Seriously

Most small businesses put a lot of effort into digital security. Passwords, firewalls, antivirus software. The pile of old invoices next to the printer tends to get less attention. It should not, because the legal obligations around confidential paper waste are exactly the same as those around digital data, and the ICO has shown it will enforce them regardless of the size of the organisation involved.

What Counts as Confidential Waste

If a document contains information that could identify a living person, it is personal data and falls within the scope of UK GDPR and the Data Protection Act 2018. For most businesses that covers a wide range of everyday paperwork: customer correspondence, invoices with names and addresses, payroll records, HR files, signed contracts, job applications, bank statements. You do not need to be running a hospital or a law firm for this to be relevant.

The regulation applies to paper records as well as digital ones. Manual personal data that forms part of a structured filing system is in scope, whether it sits on a server or in a drawer. An alphabetically organised client folder, a set of HR files, a bundle of invoices sorted by account: these all qualify. A sole trader has the same obligations under UK GDPR as a large employer. The size of the business changes nothing about what the law requires.

The Disposal Problem

Here is where small businesses often go wrong. There is a common assumption that once a document has served its purpose, it can go in the bin. Under UK GDPR, that is not how it works. The legal definition of processing includes erasure and destruction. So the method of disposal is itself a regulated activity. An insecure disposal route is a data protection failure, not something that happens outside the law.

The ICO’s guidance on document destruction says plainly that putting paper containing personal data into ordinary waste or recycling risks leaving that information accessible to others. Cross-cut shredding is the method the ICO recommends as proportionate and effective for most organisations. Strip-cut shredding produces long ribbons that have been successfully reconstructed and does not meet the standard for confidential material.

If personal data is lost or disclosed because of careless disposal, that is a personal data breach. Where the breach is likely to cause risk to individuals, the organisation has 72 hours to notify the ICO once it becomes aware of it. Under UK GDPR, the maximum fine for a serious breach of the security principle is £17.5 million or 4% of global annual turnover, whichever is higher.

What the ICO Has Actually Done About This

Two cases show how this plays out in practice. Both were brought under the old Data Protection Act 1998, when the maximum fine was £500,000. The figures available to the ICO today are much larger.

In 2017, Norfolk County Council was fined £60,000 when a filing cabinet containing social work case files on seven children was donated to a charity shop during an office move. Nobody had checked whether the drawers were empty. No procedure existed requiring them to. The member of the public who bought the cabinet found the files and reported them.

Bayswater Medical Centre in London was fined £35,000 after medical records, prescriptions and patient-identifiable medicines were left unsecured in a vacated building for more than 18 months. The practice had been warned by a neighbouring surgery and the local Clinical Commissioning Group that records were visible and accessible. Someone visited the site weekly. Nothing was done. The ICO called it a serious contravention showing complete disregard for information security.

Neither of these was a large organisation with complex data infrastructure. Both were brought down by a failure to manage physical paper.

When to Destroy and When to Keep

Secure disposal needs to sit within a documented retention schedule. Destroying records before their retention period ends can itself constitute a breach, as the ICO’s 2025 enforcement action against Birthlink established. Holding onto records past the point at which they are needed creates unnecessary exposure and is contrary to UK GDPR.

For most small businesses the core periods to know are these. Tax records, VAT returns, invoices and accounting documents should be retained for at least six years under HMRC guidance. PAYE and payroll records need to be kept for three years after the end of the relevant tax year. Business contracts should be held for six years after they end, reflecting the limitation period under the Limitation Act 1980. Personal data collected for other purposes, such as unsuccessful job applications, should not be kept longer than needed for the purpose it was gathered.

Once the retention period ends, the document should be destroyed securely without delay.

Running a Practical Process

The steps involved are not complicated. Locked confidential waste bins should go wherever paperwork is generated: near printers, in admin areas, in meeting rooms. Nothing containing personal data should sit in an open recycling bin while waiting to be dealt with. The bins need to be lockable and access kept to authorised staff.

For destruction, cross-cut shredding is the minimum appropriate standard. The site has a full guide to shredder security levels covering what each classification means and when higher protection is needed.

Professional document destruction services operating to BS EN 15713:2023, the British Standard for secure destruction of confidential material, handle collection under a managed chain of custody and issue a Certificate of Destruction for every job. Using an external provider creates a legal requirement for a written processor contract under Article 28 of UK GDPR. The certificate becomes part of the compliance record.

Confidential waste disposal should be governed by a written policy setting out what records the business holds, how long each category is kept, who authorises disposal, and how documents are destroyed. Staff need to know what counts as confidential waste and understand that the general bin is not an option for it. A log of what was destroyed and when gives the business something to produce if the ICO ever asks.

Getting Started

The Bayswater Medical Centre case did not end with the ICO fine. It generated data breach compensation claims from affected patients. That is the fuller picture of what physical document mismanagement can cost a small business.

Confidential shredding for smaller organisations typically involves a provider supplying locked collection bins, running regular or one-off collections, and issuing certificates of destruction. Paired with a written retention policy and straightforward staff guidance, that covers the main obligations and removes the risk of a breach coming through the waste stream.

The ICO’s guide to data security and its guidance on practical destruction methods are the right places to start a review. For the shredding side, secure shredding services operating to a documented standard give the evidence trail that the ICO would expect to see.

Sources: ICO: Practical Methods for Destroying Documents | ICO: Norfolk County Council Enforcement | ICO: Enforcement Register | ICO: Data Security Guide | HMRC: Company Records | Limitation Act 1980 | BSI: BS EN 15713:2023

Contact Shredsec to discuss your shredding requirements.

Ready to Get Started?

Contact us today for a free quote.

Request a Quote