Secure Document Disposal UK: Shredding vs Digital Deletion

Document disposal is the final step in the retention lifecycle — and it's one of the most common sources of GDPR breaches. Our document management GDPR compliance guide covers the full framework. This article covers the disposal step specifically.

Why Disposal Matters Under GDPR

UK GDPR requires that personal data is erased when it's no longer needed for its original purpose. Keeping data longer than necessary is a breach of the storage limitation principle. But the method of disposal matters as much as the timing — improper disposal is a separate breach in itself.

The ICO has issued fines and reprimands for documents found in public recycling bins, general waste, skips during office moves, and paper sacks left outside premises for collection by unauthorised parties. Each of these is a reportable breach, potentially affecting multiple individuals' personal data.

Paper Disposal: What You Need to Know

The recycling bin problem

Putting documents containing personal data in a recycling bin — even a confidential recycling sack — without shredding first is risky. Recycling sacks can be opened. Documents can be reconstructed from strips. The ICO's position is clear: personal data must be rendered unreadable before disposal.

Shredding standards

Not all shredders are equal. The relevant standard is DIN 66399, which defines security levels from P-1 (strip cut, strips 12mm wide — reconstructable) to P-7 (particles of 1mm² — used for top-secret government documents).

• P-2 / P-3: Strip cut, strips 5.8mm or narrower. Minimum for personal data but strips can theoretically be reassembled.
• P-4 (cross-cut): Particles 160mm² or smaller. Appropriate for most business personal data. The ICO recommends a minimum of P-4 for personal data.
• P-5 (micro-cut): Particles 30mm² or smaller. Recommended for sensitive personal data (health records, financial data, employee records).

In-house shredding

A P-4 or P-5 cross-cut shredder for the office: £80–300 for a desktop model, £500–2,000 for a high-capacity department shredder. Suitable for regular ongoing disposal of moderate volumes. Limitation: requires staff to use it consistently — documents left in "to shred" piles for weeks defeat the purpose.

Confidential waste sacks with collection

Lockable consoles in the office, collected by a certified shredding company. Documents placed in the console are shredded off-site by the collection company, which provides a certificate of destruction. Cost: typically £20–60/month for regular collection from a small office. The certificate of destruction is useful evidence for GDPR accountability.

On-site mobile shredding

A shredding company brings a shredding vehicle to your premises. Documents are shredded on-site, you watch it happen, you receive a certificate of destruction immediately. Most secure option for large one-off disposal projects (office moves, archive clearances). Cost: typically £100–300 for a van visit.

Digital Disposal: What Counts as "Deleted"

Simply pressing delete does not securely dispose of digital personal data. Deleted files go to the Recycle Bin. Emptying the Recycle Bin removes the file entry but the data typically remains on disk until overwritten. On cloud platforms, "deleted" files are often retained for 30–90 days in a recoverable state.

DMS deletion

In a properly configured DMS, deletion triggered by a retention policy should create an audit log entry confirming permanent deletion, and the data should be removed from all backups within the backup retention period. Confirm with your DMS vendor what "deleted" means: is it permanent deletion or soft deletion (recoverable for a period)?

Cloud storage deletion

SharePoint and OneDrive: deleted items go to the Recycle Bin (93-day recovery period by default). After that, items go to the second-stage Recycle Bin (another 93 days). Only after both stages does deletion become permanent — approximately 6 months after initial deletion. For GDPR disposal purposes, you need to actively empty both Recycle Bin stages to confirm permanent deletion.

Devices and storage media

When decommissioning computers, servers, or storage devices: simply deleting files or even formatting a drive is not sufficient — data recovery tools can retrieve deleted data from unformatted drives. Use certified data wiping tools (NCSC recommends data wiping to HMG IS 5 baseline for sensitive data) or physical destruction (degaussing, shredding hard drives) for highly sensitive data.

Keeping a Destruction Record

Maintain a record of what was destroyed, when, by what method, and who authorised it. For paper: the certificate of destruction from your shredding company. For digital: the audit log entry from your DMS confirming deletion. This record is your evidence of compliance if the ICO ever asks why you no longer hold certain data.