Topwood Ltd
Freephone 0800 781 1066

Your 5 Step Guide to GDPR and Data Destruction

The Data Protection Bill was published in Parliament last week (14.09.17) by Digital Minister Matt Hancock. The EU's GDPR are fully incorporated into UK law under what will be known as the The Data Protection Act 2018 - due to come into effect 25th May 2018. One of the biggest differences from The Data Protection Act is the greater liability placed on data processors, which if breached could result in much higher fines of €20 million or 4% of a firm's global turnover (whichever is greater). We have created a guide to GDPR and Data Destruction for your information.


Download our 5 step guide to GDPR and Data Protection.


1. Create awareness of new rules

Creating awareness within your organisation of the new rules is the first step to making sure you are compliant with GDPR. Organisations need to make sure all employees (paricularly decision makers) are aware of the new rules coming into effect on 25th May 2018 and the risks involved in non-compliance.


2.  Define all data processing within the organisation 

There are a number of key areas within all organisations that involve processing data. Below demonstrates just a few.



3. Analyse and assess each area of data processing

To ensure all parts of your organisation comply with the new GDPR regulations, it is key that data processing has been thoroughly assessed to eliminate risk. We will provide some guidance on assessing the data destruction aspect of your organisation in point four.

An organisation should engage with the following actions:

  • Conduct an audit review on your organisations destruction policy
    • Is this communicated effectively to all employees?
  • Identify what types of data is being controlled or destroyed? There are many different types of data that are held by organisations:
    • Basic personal identification including name, age and address. 
    • Web data, IP addresses
    • Cookie data
    • Health + genetic data
    • Racial or ethnic data
    • Political opinions
    • Sexual orientation
  • Identify who has access to the data? (internal personnel, 3rd party outsourced?)
  • How long should you keep you data for? Do you have retention scheduling?


After conducting an audit of your data processes, you should now know exactly where your data is being outsourced to, whether that is storage facilites, data destruction facilities and any other 3rd party facilities.

The next step would be to audit your data destruction process.


4. Guidance on a Secure Destruction Process

One of the biggest differences in the new GDPR compared to the existing Data Protection Act is the increased liability and fines for data breaches. There is likely to be a significant shift in focus towards preventative measures and auditing how and where your data is destroyed and stored. Most organisations will need to review the GDPR shredding requirements to reduce risk of data breaches and be compliant with the new Data Protection Act 2018 

Topwood has provided a comprehensive guide to a secure destruction process.

1. Create a standard policy and communicate it to employees. For example this could include a poster outlining your shred all and clear desk policies. Download our free poster to place above your confidential waste bins here. This will reinforce awareness and reduce risk of human error when it comes to data breaches.

Once no longer required, employees should safety dispose of documents or media in shredding receptacles (locked consoles and wheelie bins where there is no access to the documents once deposited). 

3. A 3rd party data destruction specialist and vetted staff will collect your documents and media and shred on-site for the shortest chain of custody.

4. On-site shredding is the most secure method of data destruction and offers shredding at the highest security standard.

5. At the end of the data destruction process, you should receive a Certificate of Destruction, for your duty of care and information to conform to the new GDPR regulations.


5. Auditing 3rd party organisations

Once a secure data destruction process is in place, your organisation should be auditing your 3rd party organisations. Some key questions to ask would include; where does my waste go? Is it being destroyed on-site? Is it being destroyed off-site? If off-site, have I audited the facilities? Please see our guide to identify if you have a compliant Shredding contractor.

Click on the thumbnail to download our GDPR Data Destruction Audit Template


If you would like more information about how to become GDPR compliant, contact us on 0800 781 1066 or email us at


Free No Obligation Quote

Please call Free on 0800 781 1066 or email sales@topwoodltd - you might be surprised at how cost effective our services are!


Related Articles

On-Site Document Shredding

Bulk Scanning

Document Storage


Topwood Blog

Contact Us