How do I know if our shredding company is truly compliant with data security legislation?

Shredding companies can provide extremely cost effective solutions to data destruction, however customers must ensure that they outsource to an independently audited organisation. The best firms will be ISO 27001 accredited, which is a guarantee that their processes, personnel and procedures are independently audited to comply with the specified standards. Read on to find out how an ISO 27001 accredited firm can help you get ready for GDPR.

What happens if our shredding company isn’t compliant?

The Data Protection Act (1998) principle 7 states:

‘data controllers (businesses) must have appropriate security to prevent data held from being accidentally or deliberately compromised’


The law is clear regarding the liability for security breaches if data controllers subcontract data processing to third parties. If data controllers subcontract their document shredding to a data destruction specialist and there is a breach of security the data controller is liable in the eyes of the law. A failure by your document shredding company could result in not just a fine of £500k but serious damage to the reputation of your business.

Changes to the Data Protection Act

GDPR is set to change the law surrounding the Data Protection Act. The biggest difference is an individual’s right to be forgotten. This means that companies must have policies and procedures in place to ensure all data must be destroyed once it has served the purpose it was obtained for and if it is no longer needed. Along with this, companies must be able to respond to SARs (Subject Access Requests) from customers much quicker than with the old Data Protection Act and destroy their data.

Data Destruction companies can help ensure GDPR compliance by reducing the risk of any data breach and eliminating access to the data from third parties. Unfortunately shredding documents with an office shredder can be incredibly time consuming and quite costly when the employees time is taken into account. Shredding companies like Topwood can offer extremely cost effective services for off-site or on-site shredding, destroying 1 archive full box in about 10 seconds!

So what can you do?

As a data controller it is critical that means you only engage with shredding companies that can prove they have the competence and expertise to handle data securely on behalf of data controllers. In recent years there has been an explosion in the number companies offering data destruction services.

Whilst every shredding firm claims to be compliant … some are more compliant that others. Any of the more reputable firms will have an information security management system which incorporates all the relevant standards such as EN15713, BS7858 and any other industry specific standards.

The best firms will have ISO27001 Certification, which is a guarantee that their processes, personnel and procedures are independently audited to comply with the specified standards.

To help you we have devised a quick guide for selecting and reviewing shredding companies.

The same can be said for storage and scanning companies, as there are similar industry standards that should be adhered too, and data controllers should be aware of these when choosing a supplier.