What is the Data Protection Act?

Any organisation that retains personal data is a Data Controller and is bound by the terms of the Data Protection Act 1998 (DPA) – soon to be replaced by the Data Protection Act 2018 (GDPR). This legislation sets out in 7 principles how data can be fairly and lawfully used.
Principle 7 of the DPA clearly states that Data Controllers who subcontract the handling of their data to a third party (a data processor) remain liable at all times for the security of their data. To protect themselves, data controllers must undertake due diligence so they are assured that their processors fulfil the requirements and controls necessary to protect against a data security breach.
Click on the image to download our PDF.

Point of Law – Data Controllers can not subcontract their responsibilities for the safe management of their data.

Every data controller who subcontracts the destruction of data should audit their shredding supplier’s procedures and controls. This due diligence should check, as a bare minimum, that the shredding contractor:
  1. Is registered with the ICO
  2. Complies, as a minimum, with shredding standard EN15713
  3. Only engages staff that are security vetted and trained to BS7858
  4. Has fully incorporated 2. and 3. into the scope of its ISO27001 accreditation
  5. Is independently audited to operate to safe working practices eg ISO18001 or the SafeContractor Scheme
  6. Complies with all EA legislation regarding Waste Carriers Licence
  7. Ensures The Waste Hierarchy Regulations are adhered to
  8. Operates a Corporate Social Responsibility Policy, and;
  9. Provides Certificate of Destruction for every batch destroyed.

If any of the above can not be satisfied a full review should be conducted immediately. If you are interested in getting some more information about improving your data security, live chat now and we will be happy to discuss this with you.

Legislative Summary: The Data Protection Act 1998

Who must adhere to the regulations?

Any organisation, business or person who processes personal data – referred to under the DPA as a ‘data controller’.

They must be:

How to comply:

The DPA states that, at all times, personal data should be processed fairly and lawfully.

Recommended security management and information controls:

What the law covers:

Eight principles governing the:

What is “Personal Data”?

Information that allows the identification of a living individual- i.e. name, date of birth, address, national insurance number, etc.

DPA and information management:

Waste Hierarchy Legislation The Waste (England and Wales) Regulations 2011 (UK)

Offences/ penalties for non-compliance:

For a serious breach of the DPA, the ICO can issue:

A serious breach, deliberate or negligent, is determined based on the volume of personal data and level of sensitivity.

Other criminal offences:

Under section 55, the unauthorised and wilful, or negligent, act of:


The ICO is also seeking prison sentences to further deter unlawful use of personal data.

Secure document retention and disposal guidelines:

The DPA requires data controllers to securely destroy personal data. However, the requirement must take into account other legislations that govern the rules for document retention prior to its secure disposal, and the penalties for noncompliance.

Regulatory document retention periods are in place for:

Recommended inclusions for a document retention policy:

How Topwood can help?

Protecting your confidential business information with Topwood is safe, convenient and cost-effective. It’s also environmentally friendly – all shredded paper and hard drives are recycled.

It is important to bear in mind that the Data Protection Bill was published in Parliament (14.09.17) by Digital Minister Matt Hancock. The EU’s GDPR are fully incorporated into UK law under what will be known as the Data Protection Act 2018 – due to come into effect in May-18.

Is Topwood GDPR Compliant?

The following self-assessment is based on the ICO’s checklist for data processors. A positive response demonstrates that Topwood is compliant with the requirements of GDPR.

SECTION 1: Documentation

1.1 Information Topwood holds. Has Topwood conducted an information audit to map data flows and does Topwood document the personal data it holds, where it came from and who it is shared with? Answer: Yes

SECTION 2: Accountability and governance

2.1 Accountability. Has Topwood an appropriate data protection policy? Answer: Yes

2.2 Data Protection Officer (DPO). Has Topwood nominated a data protection officer? Answer: Yes

2.3 Management responsibility. Do the Directors at Topwood demonstrate support for data protection legislation and promote a positive culture of data protection compliance? Answer: Yes

2.4 Information risks and data protection impact assessments. Does Topwood manage information risks in structured way so that management understands the business impact of personal data related risks and manages them effectively? Answer: Yes

2.5 Data protection by design. Has Topwood the appropriate technical and organisational measures to show data protection is integrated with data processing activities Answer: Yes

2.6 Training and awareness. Has Topwood provided data protection awareness training for all staff? Answer: Yes

2.7 Data processing contract. Does Topwood only process data on the documented instructions of a data controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and Topwood? Answer: Yes

2.8 The use of sub-processors. Does Topwood seek the prior written authorisation from the controller before engaging the services of a sub-processor, and there is a contract in place. Answer: Yes

2.9 Operational base. Topwood only operates within the EU.

2.10 Breach notification. Has Topwood the effective processes to identify and report any personal data breaches to its controllers? Answer: Yes

SECTION 3: Individuals rights

3.1 Right of access. Does Topwood have a process to respond to a controller’s request for information (following and individuals’ request to access their personal data)? Answer: Yes

3.2 Right to rectification and data quality. Does Topwood have the processes to ensure that the personal data held is accurate and up to date? Answer: Yes

3.3 Right to erasure, including retention and disposal. Does Topwood have a process to routinely and securely dispose of personal data that is no longer required, in line with agreed timescales as stated in the your contract with the controller? Answer: Yes

3.4 Right to restrict processing. Does Topwood have controls to respond to data controllers’ request to supress the processing of personal data? Answer: Yes

3.5 Right to data portability. Does Topwood have the capability to respond to a request from a controller to supply the personal data your process and in an electronic format Answer: Yes

SECTION 4: Data security

4.1 Security policy. Does your information security policy supported by appropriate security measures? Answer: Yes

Contact Us

If you would like to find out more about our secure document scanning, shredding and storage solutions call 0800 781 1066 or request a call back using our call back form.

Request a callback
Chat with us

Latest News