Every UK business that processes personal data generates confidential paper documents that must be destroyed before disposal. UK GDPR, the Data Protection Act 2018, and the Information Commissioner’s Office (ICO) guidance all require that personal data on paper documents is rendered irretrievable before the paper enters the waste stream. The regulatory consequence of failing to do so, ICO fines, reputational damage, and, in some cases, criminal liability, make document destruction a compliance requirement that cannot be managed casually.
The commercial question is how to manage document destruction cost-effectively. Most UK businesses currently use one of three approaches: in-house shredding with the shredded material going to general waste or mixed recycling; a confidential waste contractor who collects sacks or locked consoles and destroys the documents off-site; or, the least common but most financially effective approach, in-house shredding with baling of the shredded output for sale to paper recyclers. This article examines the cost and compliance implications of each approach and makes the case for the baling route for businesses generating sufficient document volumes.
Article 5 of UK GDPR requires that personal data is kept secure and processed in a manner that ensures appropriate security, including protection against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. For paper documents containing personal data, this principle requires that destruction is thorough enough to render the data unrecoverable. The ICO’s guidance specifies that cross-cut or micro-cut shredding provides the appropriate level of destruction for most personal data; strip-cut shredding is considered inadequate because strips can be reassembled.
The required level of shredding depends on the sensitivity of the data. Standard personal data (names, addresses, routine correspondence) requires cross-cut shredding to DIN 66399 level P-4 or higher. Highly sensitive data, including financial information, medical records, and special category data, requires micro-cut shredding to P-5 or higher. Businesses handling highly sensitive data should confirm their shredder specification against these requirements before assuming compliance.
The Three Approaches and Their Costs
In-house shredding to general waste is the baseline: the business owns a shredder, shreds documents as generated, and the shredded paper goes to general waste at a disposal cost. This approach provides compliance but no commercial return from the paper. Shredded paper in general waste pays no recycling revenue and attracts the full disposal cost of the waste stream it joins.
A confidential waste contractor service typically involves locked consoles placed throughout the premises, periodic collection by the contractor, and off-site destruction, with a certificate of destruction provided to the business. The service charge covers collection, destruction, and certification, typically running from £50 to £300 per month for a small to medium business, depending on volume. The environmental outcome varies by contractor; some recycle the shredded paper, others send it to energy recovery.
In-house shredding with baling combines compliance with commercial return. The business shreds documents in-house to the required standard, accumulates the shredded material, and bales it using an on-site baler for sale to paper recyclers. Shredded paper bales are accepted by UK paper recyclers at a modest discount to whole paper, reflecting the slightly shorter fibre length from shredding, but still generate positive revenue rather than a disposal cost.
For businesses considering in-house baling of shredded documents, Gradeall’s G-Eco 250 baler and G-Eco 150 baler handle shredded paper volumes appropriate for mid-size to large office operations, producing bales suitable for commercial paper recycling buyers.
For regulated industries, including financial services, healthcare, legal, and others subject to sector-specific data protection requirements, a certificate of destruction from a third-party contractor may be a compliance or audit requirement, not just a best practice. In-house destruction, even when technically compliant with the shredding standard, does not produce a third-party certificate that an external auditor can verify. Businesses in these regulated sectors may need to retain a confidential waste contractor for audit documentation purposes, even where in-house baling would otherwise be the preferred approach.
“The certificate of destruction question is the practical reason why some large businesses split their approach: in-house destruction with baling for the routine document flow, and a specialist contractor for the high-sensitivity or auditable destruction events,” says Conor Murphy, Director of Gradeall International. “The two approaches are complementary, not mutually exclusive, and the cost-optimal solution depends on the volume balance between the two categories.”
For the non-sensitive paper stream that does not require shredding, whole paper baling through Gradeall’s vertical baler range generates the highest per-tonne return, as whole paper commands a better rate than shredded paper at most UK paper recycling facilities.
There is no regulatory requirement to retain shredded paper after destruction. Once documents have been shredded to the required standard, they can be disposed of or recycled immediately. The retention requirement applies to the data on the documents, not to the physical paper; once the data is destroyed by shredding, the physical medium has no data protection significance. Some businesses retain shredded material briefly while accumulating a bale load, which is entirely appropriate, provided the shredded material is stored securely to prevent reconstruction attempts.
No. Selling unshredded confidential documents to a third party, even a legitimate paper recycler, constitutes a transfer of personal data to a data processor without the data subject’s knowledge or appropriate legal basis. UK GDPR requires that personal data is destroyed before leaving your control unless you have a specific legal basis for the transfer. Paper recyclers are not data processors in the GDPR sense and cannot handle personal data on paper documents they receive. Shred first; bale and sell second.
For standard personal data (P-4), a cross-cut shredder producing particles of approximately 4 by 30 mm is the minimum standard. For sensitive and special category data (P-5 to P-7), a micro-cut shredder producing particles of approximately 2 by 15 mm or smaller is required. For high-volume office environments, a departmental or centralised shredder rather than individual desk shredders provides more consistent compliance because it removes the human decision about which documents require shredding. Specify the DIN 66399 level explicitly when purchasing a shredder.
If you use a confidential waste contractor who provides certificates of destruction, baling the shredded output from your in-house shredding does not affect the contractor’s certificate for their own collection events. The two activities are independent: the contractor certifies destruction of documents they collect; you separately sell baled, shredded paper from your in-house shredding. Keep records of in-house shredding activity (volume, date, shredder specification) alongside the contractor’s certificates to provide a complete audit trail.
Yes, but the methods differ. Digital personal data must be destroyed in a way that renders it irrecoverable, which typically requires secure deletion software (overwriting to DoD 5220.22-M standard or similar) or physical destruction of storage media. Simply deleting files does not destroy the data in most digital storage systems. This is a separate compliance area from paper destruction; a comprehensive data protection compliance programme addresses both physical and digital document destruction in the same policy framework.
← Back to news
Technology for Efficient Waste Management: A Practical Guide
Historic Tyre Dumps: Remediation Strategies for Legacy Waste Sites
Tire Recycling Certification: Global Standards and Quality Management
German Automotive Tyre Recycling Equipment for Operations
This website uses cookies to enhance your experience. Some are essential for site functionality, while others help us analyze and improve your usage experience. Please review your options and make your choice.If you are under 16 years old, please ensure that you have received consent from your parent or guardian for any non-essential cookies.Your privacy is important to us. You can adjust your cookie settings at any time. For more information about how we use data, please read our privacy policy. You may change your preferences at any time by clicking on the settings button below.Note that if you choose to disable some types of cookies, it may impact your experience of the site and the services we are able to offer.
Some required resources have been blocked, which can affect third-party services and may cause the site to not function properly.
This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.