Organisations handling personal data must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The Information Commissioner’s Office (ICO) can impose fines of up to £17.5 million or 4% of annual global turnover for serious breaches.
This guide explains the key principles and how secure document disposal helps you comply.
UK GDPR and Data Protection Act 2018
The UK GDPR and Data Protection Act 2018 replaced the Data Protection Act 1998 following Brexit. The requirements are substantially similar to the EU GDPR, with some UK-specific provisions.
These regulations apply to any organisation processing personal data of UK residents, regardless of where the organisation is based.
The Seven Key Principles
1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Individuals must be informed about how their data will be used, who will have access, and how long it will be kept.
For document disposal: Inform individuals in your privacy notice that their data will be securely destroyed when no longer needed.
2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not processed in ways incompatible with those purposes.
For document disposal: Only retain documents for their original purpose. When that purpose ends, destroy them securely.
3. Data Minimisation
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
For document disposal: Don’t keep documents “just in case” – if you don’t need them, destroy them.
4. Accuracy
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay.
For document disposal: Outdated records should be destroyed, not just filed away.
5. Storage Limitation
Personal data must not be kept longer than necessary for the purposes for which it is processed.
For document disposal: This is the principle most relevant to shredding. You must have retention periods and destroy documents when they expire. Secure shredding services help you comply.
6. Integrity and Confidentiality (Security)
Personal data must be processed securely, with appropriate measures against unauthorised or unlawful processing, accidental loss, destruction or damage.
For document disposal: Simply throwing documents in the bin is not secure disposal. Professional shredding to DIN Level 3 standard meets this requirement.
7. Accountability
The data controller must be able to demonstrate compliance with all principles.
For document disposal: A Certificate of Destruction from Shredsec provides documented evidence of compliant disposal for audits and regulators.
Rights of Data Subjects
Under UK GDPR, individuals have the right to:
- Access their personal data
- Rectification of inaccurate data
- Erasure (“right to be forgotten”)
- Restrict processing
- Data portability
- Object to processing
- Not be subject to automated decisions
The right to erasure is particularly relevant – when individuals request deletion of their data, you must securely destroy all physical documents containing their information.
Document Retention Periods
You must define how long you keep different types of documents. Typical retention periods include:
| Document Type | Typical Retention |
|---|---|
| Tax records | 6 years |
| Employment records | 6 years after leaving |
| Payroll records | 6 years |
| Contracts | 6 years after completion |
| Medical records | 8 years (varies by type) |
| Accident records | 3 years (12 if minor involved) |
| Company accounts | 6 years |
| Insurance policies | 6 years after expiry |
After retention periods expire, documents must be securely destroyed – not just discarded.
Secure Document Destruction
The ICO guidance states that personal data must be disposed of securely. This means:
- Paper documents must be shredded to a standard that makes reconstruction impossible (cross-cut shredding, not strip-cut)
- Electronic media must be wiped using certified software or physically destroyed
- Destruction must be documented to demonstrate compliance
Shredsec’s shredding services meet these requirements:
- DIN Level 3 cross-cut shredding – 4mm x 30mm particles
- BS EN 15713 compliant – Secure destruction standards
- CRB-checked staff – Vetted to BS7858
- Certificate of Destruction – Documented proof for audits
- Full chain of custody – From collection to destruction
Penalties for Non-Compliance
The ICO has a tiered penalty system:
Standard maximum: £8.7 million or 2% of global turnover For less serious infringements such as failure to maintain records, failure to notify breaches, or failure to conduct impact assessments.
Higher maximum: £17.5 million or 4% of global turnover For more serious infringements including breaches of data processing principles, conditions for consent, or data subject rights.
Improper disposal of personal data – such as confidential documents found in public waste – can result in enforcement action and significant fines.
Compliance Checklist for Document Disposal
Use this checklist to ensure your document disposal practices are compliant:
- Retention policy – Defined periods for all document types
- Regular reviews – Scheduled assessment of archived documents
- Secure storage – Locked cabinets/rooms until destruction
- Secure collection – Locked bins for confidential waste
- Professional shredding – Cross-cut to DIN Level 3 minimum
- Destruction certificates – Documented proof of disposal
- Staff training – Everyone understands data protection responsibilities
- Supplier contracts – Written agreements with shredding providers
How Shredsec Helps You Comply
Our services support your UK GDPR compliance:
Regular shredding contracts Scheduled collections ensure documents are destroyed promptly when retention periods expire. Secure bins prevent unauthorised access to confidential waste.
One-off shredding Archive clearouts and retention period reviews become simple – we collect and destroy accumulated documents efficiently.
Certificate of Destruction Every job receives documented proof of destruction, demonstrating compliance to auditors and regulators.
BS EN 15713 compliance Our processes meet the European standard for secure destruction of confidential materials.
Get Help with Compliance
Need to implement compliant document destruction for your organisation?
Call: 0800 654 6507 Email: service@shredsec.com
We’ll assess your requirements and recommend the right service – from regular collections with secure bins to one-off clearouts of accumulated archives.
Learn more about secure data disposal best practices.
Contact Shredsec to discuss your shredding requirements.