Your 5 Step Guide to GDPR and Data Destruction

The EU’s GDPR (General Data Protection Regulation) is fully incorporated into UK law under what will be known as the The Data Protection Act 2018 and came into effect on 25th May 2018. One of the biggest differences from The Data Protection Act is the greater liability placed on data processors, which if breached could result in much higher fines of €20 million or 4% of a firm’s global turnover (whichever is greater). We have created a guide to GDPR and Data Destruction for your information.

It has been one month since GDPR became effective – has it affected your organisation? It has been reported that companies are still not doing enough to protect their data. Storing their back up tapes and back up disks in the same location as the original data poses a huge risk to data loss, fire, theft or a data breach. Beaming has found that 83 per cent of UK firms back up their data, however only half of them save it to servers or storage devices in the same location as the original data. The General Data Protection Regulation, which enforces greater need for secure data storage to mitigate risk of a data breach or data loss, has already affected numerous large organisation in the UK including Dixons Carphone, BT, Yahoo and Gloucestershire Police. Equally as important as the secure electronic storage of data storage, is the physical storage of files and documents. This is most evident with the recent Windrush Scandal, the Home Office has been accused by Stephen Doughty MP of having a poor track record of losing important documents such as passports and birth certificates, which has detrimental impacts on individuals. This is an example on a huge scale of how poor storage of data and a lack of data processing can result in a data breach or loss. We created a 5 step guide to help organisations prepare for the changes in the Data Protection Act as detailed below. Is your organisation compliant?

Download our 5 step guide to GDPR and Data Protection.

1. Create awareness of new rules

Creating awareness within your organisation of the new rules is the first step to making sure you are compliant with GDPR. Organisations need to make sure all employees (paricularly decision makers) are aware of the new rules that came into effect on 25th May 2018 and the risks involved in non-compliance.

2. Define all data processing within the organisation

There are a number of key areas within all organisations that involve processing data. Below demonstrates just a few.

3. Analyse and assess each area of data processing

To ensure all parts of your organisation comply with the new GDPR regulations, it is key that data processing has been thoroughly assessed to eliminate risk. We will provide some guidance on assessing the data destruction aspect of your organisation in point four. An organisation should engage with the following actions:

Conduct an audit review on your organisations destruction policy

Is this communicated effectively to all employees?
  • Identify what types of data is being controlled or destroyed? There are many different types of data that are held by organisations:
    • Basic personal identification including name, age and address.
    • Web data, IP addresses
    • Cookie data
    • Health + genetic data
    • Racial or ethnic data
    • Political opinions
    • Sexual orientation
  • Identify who has access to the data? (internal personnel, 3rd party outsourced?)
  • How long should you keep you data for? Do you have retention scheduling?

After conducting an audit of your data processes, you should now know exactly where your data is being outsourced to, whether that is storage facilites, data destruction facilities and any other 3rd party facilities. The next step would be to audit your data destruction process.

4. Guidance on a Secure Destruction Process

One of the biggest differences in the new GDPR compared to the existing Data Protection Act is the increased liability and fines for data breaches. There is likely to be a significant shift in focus towards preventative measures and auditing how and where your data is destroyed and stored. Most organisations will need to review the GDPR shredding requirements to reduce risk of data breaches and be compliant with the new Data Protection Act 2018 Topwood has provided a comprehensive guide to a secure destruction process.

1. Create a standard policy and communicate it to employees. For example this could include a poster outlining your shred all and clear desk policies. Download our free poster to place above your confidential waste bins here. This will reinforce awareness and reduce risk of human error when it comes to data breaches.

2. Once no longer required, employees should safety dispose of documents or media in shredding receptacles (locked consoles and wheelie bins where there is no access to the documents once deposited).

3. A 3rd party data destruction specialist and vetted staff will collect your documents and media and shred on-site for the shortest chain of custody.

4On-site document shredding is the most secure method of data destruction and offers shredding at the highest security standard.

5. At the end of the data destruction process, you should receive a Certificate of Destruction, for your duty of care and information to conform to the new GDPR regulations.

What Shred Size is GDPR Compliant?

There is no regulation in place enforcing a shred size that is GDPR compliant. GDPR is a new part of The Data Protection Act 2018 that requires all organisations to ensure their data is secure and not breached or shared without the individual’s permission. Shredding at the highest security level (DIN level P-4) and document shredding on-site, ensures the shortest chain of custody and significantly reduces the risk of a data breach. Strip cutting or using a small office shredder not only wastes employee time and the organisation’s money but also increases the risk of a breach as the shredded paper can be pieced back together. These methods of document destruction could be classed as failing to comply with GDPR standards. Under the new Data Protection Actshredding confidential data and waste should be enforced to the highest standards by all organisations. Using an ISO 27001 accredited shredding company will ensure your confidential data shredding processes are compliant to GDPR and The Data Protection Act. If you would like a quote for one of our GDPR compliant shredding services, chat online now

5. Auditing 3rd party organisations

Once a secure data destruction process is in place, your organisation should be auditing your 3rd party organisations. Some key questions to ask would include; where does my waste go? Is it being destroyed on-site? Is it being destroyed off-site? If off-site, have I audited the facilities? Please see our guide to identify if you have a compliant Shredding contractor. Click on the thumbnail to download our GDPR Data Destruction Audit Template

If you would like more information about how to become GDPR compliant, contact us on 0800 781 1066 or email us at

Related Articles

On-Site Document Shredding Bulk Scanning Document Storage