If you’re running a business in Dorset, Hampshire or Wiltshire and you’re not sure which documents need to be securely shredded, you’re not alone. GDPR can feel complicated — but the core principle is straightforward. If a document contains personal data, you are legally responsible for disposing of it securely. That means a recycling bin, a general waste bin, or an office shredder almost certainly isn’t good enough.

This guide cuts through the jargon and tells you exactly which documents your business must shred, how long you should keep them before destroying them, and what happens if you get it wrong.

Why GDPR requires secure document destruction

The UK General Data Protection Regulation — UK GDPR — came into force after Brexit and places a legal obligation on every business that handles personal data. Under UK GDPR, personal data must be kept securely and disposed of securely when it is no longer needed.

Article 5 of UK GDPR states that personal data must be kept in a form that allows identification of individuals for no longer than is necessary. Once that period ends, the data must be destroyed — and destroyed in a way that means it cannot be reconstructed or read.

Throwing a document in the bin does not meet this standard. Neither does a basic office shredder in most cases — strip-cut shredders in particular produce strips that can be reassembled. A professional confidential shredding service with a certificate of destruction is the only reliable way to demonstrate compliance.

What counts as personal data on a document?

Under UK GDPR, personal data is any information that can identify a living individual, either on its own or combined with other information. On a physical document, this includes:

Full names
Home or work addresses
Email addresses
Phone numbers
Date of birth
National Insurance numbers
Bank account or payment card details
Medical or health information
Employee records and HR files
Customer account numbers or references
Signatures
IP addresses printed on documents
Any combination of details that together identify a person

If a document contains any of the above, it falls under UK GDPR and must be disposed of securely.

Which documents must be shredded?

Here is a straightforward breakdown by document type. If your business produces any of these, they need to go into a secure shredding process — not a recycling bin.

Customer and client records

Any document containing customer names, addresses, account details, purchase history, correspondence or contact information must be shredded. This applies whether the customer is a business or an individual. Client files, quotations, invoices, statements and letters all fall into this category.

Employee and HR documents

HR departments produce some of the most sensitive documents in any organisation. Employment contracts, payslips, performance reviews, disciplinary records, absence records, application forms, references, DBS check results and redundancy paperwork all contain personal data and must all be shredded securely. This applies to current and former employees.

Financial documents

Bank statements, payment receipts, invoices, credit card slips, expense claims and financial reports containing personal or account information must be shredded. Many businesses keep these for the required HMRC retention period — typically six years — and then dispose of them without thinking about GDPR. Disposal still needs to be secure.

Medical and health records

For GP practices, dental surgeries, pharmacies, care homes and any other healthcare providers, patient records are among the most sensitive documents in existence. These must be shredded in line with both UK GDPR and NHS Records Management guidelines. The same applies to occupational health records held by employers.

Legal documents

Solicitors, conveyancers and legal firms handle documents containing highly sensitive personal and financial information. Contracts, wills, deeds, court documents, case files and correspondence must all be destroyed securely when no longer required. Many law firms in Dorset and Hampshire are legally required to maintain records for specific periods — once those periods end, secure destruction is mandatory.

Student and pupil records

Schools, colleges and universities hold significant volumes of personal data on students, pupils and parents. Exam results, attendance records, SEND documentation, safeguarding records and parental correspondence all contain personal data and must be shredded securely when the relevant retention period ends.

Marketing and sales documents

Printed prospect lists, marketing databases, lead generation forms, event sign-up sheets and any other document containing contact details collected for marketing purposes must be disposed of securely. Under UK GDPR, you also need a lawful basis for holding this data in the first place — but when you no longer need it, shredding is required.

General office documents

Day-to-day paperwork that might seem routine can still contain personal data. Meeting notes that reference individuals, internal memos, printed emails, delivery notes with addresses, and even compliment slips with signatures can all fall under UK GDPR depending on their content. When in doubt, shred it.

How long should you keep documents before shredding?

UK GDPR does not set a single retention period for all documents — it depends on the type of document and any other legislation that applies. Here are the most common retention periods for businesses in the UK:

Employee records — 6 years after employment ends
Payroll records — 3 years minimum (HMRC requirement)
Financial and accounting records — 6 years (Companies Act)
VAT records — 6 years
Customer contracts — 6 years after contract ends
Job applications (unsuccessful) — 6 months to 1 year
Health and safety records — 3 years minimum
Medical records (NHS) — varies, typically 8–10 years for adults
Student records — varies by institution, typically 7 years after leaving

Once these periods end, the documents should be destroyed. Keeping personal data longer than necessary is itself a breach of UK GDPR — you do not need to wait for a data breach to fall foul of the ICO.

What happens if you don’t shred documents correctly?

The Information Commissioner’s Office — the ICO — has the power to issue fines for breaches of UK GDPR. Fines can reach up to £17.5 million or 4% of global annual turnover, whichever is higher, for the most serious breaches.

In practice, most fines issued to small and medium businesses are significantly lower — but the reputational damage of a data breach can be far more costly than any fine. If personal data from your business ends up in the wrong hands because documents were not disposed of correctly, you are required to notify the ICO within 72 hours and potentially notify the individuals affected.

Real examples of ICO enforcement action include fines issued to organisations that disposed of patient records in general waste, businesses that left confidential documents in skips during office clearouts, and companies that failed to implement adequate destruction processes for HR records.

The simplest way to protect your business is a confidential shredding service that issues a certificate of destruction after every collection. That certificate is your evidence — if the ICO ever investigates, you can demonstrate that documents were destroyed securely and on schedule.

What is a certificate of destruction and why do you need one?

A certificate of destruction is a document issued by your shredding provider after every collection. It confirms the date of collection, the volume of material destroyed, and that destruction was carried out at a certified facility in compliance with UK GDPR.

This certificate is your audit trail. If your business is ever audited by the ICO, inspected by a client as part of their supplier due diligence, or challenged following a data breach allegation, the certificate of destruction is your proof that you took your legal obligations seriously.

At Clearcut Confidential Waste, every collection — whether a one-off clearout or a regular scheduled service — includes a certificate of destruction as standard. There is no additional charge for this.

How Clearcut can help businesses across Dorset, Hampshire and Wiltshire

If your business produces any of the documents listed in this guide, you need a reliable confidential shredding service you can count on. Clearcut Confidential Waste provides scheduled collections, one-off clearouts and bulk archive destruction for businesses and households across Dorset, Hampshire and Wiltshire.

Our prices are published upfront — no waiting for a callback, no hidden fees. Collections start from £39 per month for a regular service or £45 for a one-off collection. Every collection includes secure sacks, collection from your premises, certified destruction and a certificate of destruction.

We work with legal firms, GP practices, schools, accountants, HR departments, financial services businesses and many other organisations across the region who need a dependable, compliant shredding service they can trust.

Summary — the documents your business must shred

To keep it simple, if a document contains any personal data about a customer, employee, patient, student or supplier — and it has reached the end of its required retention period — it must be securely destroyed. The only compliant way to do this is through a certified confidential shredding service that issues a certificate of destruction.

Do not put it in the recycling bin. Do not rely on a basic office shredder. And do not leave it until a data breach forces your hand.

Ready to arrange confidential shredding for your business in Dorset, Hampshire or Wiltshire?