What documents must be securely disposed of under GDPR?

Any physical document containing personal data must be securely disposed of when no longer needed. This includes client correspondence, employee records, financial records containing personal details, medical and healthcare records, application forms, contracts, payslips, bank statements, invoices and any other document that identifies or could identify a living individual.

UK GDPR & physical document disposal

Your legal obligation for secure document disposal.

UK GDPR places a clear obligation on every business that processes personal data — including the obligation to dispose of physical documents securely when they are no longer needed. Recycling is not enough. General waste is not enough. Here is what the law requires and how to meet it.

Get a GDPR-compliant quote → 01202 022409

UK GDPR compliant Certificate of destruction Dorset · Hampshire · Wiltshire From £19/month

The UK GDPR disposal obligation — at a glance

📋

Article 5(1)(e) — Storage limitation

Personal data must not be kept longer than necessary. When retention period ends, it must be disposed of.

🔒

Article 5(1)(f) — Integrity & confidentiality

Data must be processed securely — including at disposal. Recycling bins are not secure processing.

📊

Article 5(2) — Accountability

You must be able to demonstrate compliance. A certificate of destruction is the standard evidence.

✓ Clearcut's service meets all three obligations with a certificate issued after every collection

GDPR document disposal · Dorset · Hampshire · Wiltshire + Secure disposal of personal data · From £19/month + Certificate of destruction · GDPR accountability + UK GDPR Article 5 · Storage limitation · Accountability + GDPR document disposal · Dorset · Hampshire · Wiltshire + Secure disposal of personal data · From £19/month + Certificate of destruction · GDPR accountability + UK GDPR Article 5 · Storage limitation · Accountability +

What the law requires

UK GDPR and physical document disposal.

Most discussions of UK GDPR focus on digital data — databases, email systems, cloud storage. But the legislation applies equally to personal data held in physical form. Every client letter, employee payslip, patient record, customer application form and financial document that contains personal data falls under the same data protection framework as digital records.

UK GDPR Article 5(1)(e) sets out the storage limitation principle — personal data must not be retained for longer than necessary for the purpose for which it was collected. When a document has met its retention period, the personal data within it must be disposed of. Article 5(1)(f) requires that this disposal is done securely, in a way that protects the integrity and confidentiality of the data. And Article 5(2) requires that you can demonstrate compliance — which means documented evidence of secure disposal.

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.UK GDPR Article 5(1)(f)

Placing documents in a recycling bin, a general waste bin, or even a confidential waste bag that is not securely destroyed does not meet this standard. The ICO is clear: secure disposal means destruction that prevents recovery of the personal data.

Get a compliant quote →

UK GDPR Article 5(1)(e)

Storage limitation

Personal data must not be kept for longer than necessary. When the retention period for a document has passed, the personal data within it must be disposed of. Keeping records indefinitely — even in a locked filing cabinet — is a breach of this principle.

UK GDPR Article 5(1)(f)

Integrity & confidentiality

Personal data must be handled securely at every stage of its lifecycle, including at disposal. Putting documents in a recycling bag or general waste bin is not secure handling. The standard requires that personal data is destroyed in a way that prevents recovery.

UK GDPR Article 5(2)

Accountability

You must be able to demonstrate that you have complied with UK GDPR. For document disposal, this means having documented evidence of secure destruction — a certificate of destruction from a certified provider is the standard form of this evidence.

UK GDPR Article 9

Special category data — enhanced obligation

Health data, biometric data, criminal conviction data and other special categories require a higher standard of protection. Medical records, DBS certificates, occupational health records and similar documents require the most secure disposal method.

Compliant vs non-compliant disposal

What counts as secure disposal under GDPR.

Not all forms of document disposal meet the UK GDPR security requirement. The distinction matters — and the ICO has investigated organisations for getting it wrong.

✗ Not GDPR-compliant

✗Placing documents in a general waste bin — contents accessible to anyone

✗Placing documents in a kerbside recycling bag — not secure until collected

✗Using an office strip-cut shredder — produces strips that can be reassembled

✗Giving documents to a colleague to "deal with" — no documented chain of custody

✗Confidential waste bags collected but not certified — no evidence of destruction

✗Burning documents on site without documentation — uncontrolled, unverified

✓ GDPR-compliant

✓Certified off-site shredding with certificate of destruction issued

✓On-site mobile shredding with witnessed destruction and same-day certificate

✓Lockable secure bin held on-site between scheduled certified collections

✓Tamper-evident sacks sealed and collected by a certified shredding provider

✓Documented retention schedule with certified destruction at end of each period

✓Certificate of destruction filed with compliance records after every visit

ICO enforcement

The ICO has acted against insecure document disposal.

The ICO has investigated and taken action against organisations of all sizes for data breaches arising from insecure physical document disposal. These are illustrative examples of the type of cases the ICO handles — not an exhaustive list.

Healthcare

Patient records found in public areas

NHS organisations have faced ICO investigation following incidents where patient records were found in public spaces after being incorrectly disposed of — in some cases placed in general waste rather than secure destruction.

Outcome: ICO investigation and enforcement action

Financial services

Client documents in recycling bins

Financial organisations have faced enforcement action after client documents containing personal and financial data were found in accessible recycling bags rather than being securely shredded.

Outcome: ICO investigation and monetary penalty

All sectors

No documented disposal procedure

Organisations unable to demonstrate that personal data was securely disposed of — because they had no documented procedure and no certificates of destruction — face ICO scrutiny even where no specific incident occurred.

Outcome: Enforcement notice and required policy changes

What must be securely disposed of

Documents containing personal data that must be shredded.

Any document that identifies or could identify a living individual is personal data under UK GDPR and must be disposed of securely at end of retention. This includes:

Client correspondence

Employee records

Patient records

Financial records with personal details

Payslips

Bank statements

Application forms

CVs & interview notes

Right-to-work documents

DBS certificates

Medical records

Prescription forms

Insurance documents

Legal correspondence

Contracts with personal data

Tax returns & P60s

Resident care records

Pupil educational records

Complaints files

Invoices with personal details

How Clearcut meets the obligation

Five steps from collection to compliance.

Our service is designed specifically to meet the UK GDPR obligation for secure physical document disposal — with a certificate of destruction at the end that closes the loop on your accountability requirement.

Free tamper-evident sacks or lockable bin

Documents placed in secure, sealed containers — not accessible once sealed

Secure collection on agreed date

Collected by our team — chain of custody maintained throughout

Transport to certified facility

Secure transit — documents remain inaccessible during transport

Certified destruction beyond recovery

Documents shredded to a standard that prevents recovery of personal data

Certificate of destruction issued

Automatic — no request needed — meets the GDPR accountability requirement

Plans & pricing

Solo

Home workers · Sole traders

£19/mo

Starter

Small offices · Low volume

£33/mo

Business

Offices & practices

£74/mo

One-off

No contract needed

£45+

12-month rates shown. All plans include certificate of destruction.

View all pricing →

Common questions

GDPR document disposal FAQs

Does UK GDPR require businesses to shred documents?+

UK GDPR requires that personal data is disposed of securely — in a way that prevents recovery. Certified shredding with a certificate of destruction is the standard method used to meet this requirement. Recycling or general waste disposal does not meet the security standard.

Can I recycle documents containing personal data?+

No. Placing documents containing personal data in a recycling bin does not meet UK GDPR's security requirement. Recycling bags can be accessed before collection, and paper recycling processes do not guarantee destruction of readable content. Certified shredding is the required standard.

Does GDPR apply to small businesses and sole traders?+

Yes. UK GDPR applies to every organisation that processes personal data, regardless of size. A sole trader with one client and a large organisation with thousands of customers have the same obligation to dispose of personal data securely.

What is the ICO's position on document disposal?+

The ICO's guidance requires organisations to have documented procedures for the secure disposal of personal data. The ICO has investigated and taken action against organisations of all sizes — including small businesses — for insecure document disposal, including cases where documents were placed in recycling or general waste.

How much does GDPR-compliant document disposal cost?+

Clearcut's GDPR-compliant shredding service starts from £19/month for sole traders on a 12-month scheduled plan. One-off collections from £45. All prices are published upfront with no hidden fees. A certificate of destruction is included with every collection.