Data breaches remain a persistent issue in the UK, with the Information Commissioner’s Office (ICO) receiving over 11,680 personal data breach reports in 2023/24 alone.
While many breaches are cyber-related, a significant proportion is due to human error and poor organisational processes, including the mishandling of physical records and devices.
Ahead of Data Privacy Day on January 28th, Confidential waste experts at BusinessWaste.co.uk highlight how businesses’ weak waste disposal policies can compromise GDPR, and explain what organisations should be doing to ensure customer data is protected during waste disposal.
Under UK GDPR, organisations are required to protect personal data throughout its entire lifecycle, including when it is no longer needed and must be disposed of. However, in practice, many organisations focus heavily on cyber security measures rather than on correct waste disposal.
Guidance from the ICO clearly states that personal data must be destroyed securely and irreversibly. Yet as much as 200,000 paper records, old laptops, hard drives, and storage media are being disposed of in general waste each year, which ends up in landfill. This is not only harmful to the environment, but also a serious security risk. The responsibility for any resulting data breach remains with the data controller, even if a breach occurs after waste has been collected.
How common is physical data loss?
While official breach statistics do not always categorise incidents by disposal method, research does show that paper records are a major source of data exposure.
Last year, several UK councils reported more than 2,400 data breaches, with many incidents linked to lost paperwork, devices, or procedural failures rather than hacking. These figures show that while cybersecurity incidents are much more common, physical data loss remains a widespread issue.
What should organisations be doing?
Current guidance according to GDPR and the Data Protection Act 2018 advises organisations to:
- Implement clear internal policies covering the disposal of paper records and data-bearing devices
- Use secure shredding and certified destruction services for confidential waste
- Maintain audit trails for disposal, particularly during office moves, refurbishments, or IT refreshes
- Carry out due diligence and regular checks on third-party waste contractors
- Treat disposal as part of GDPR compliance, not a facilities or housekeeping issue
Why is this important for businesses?
If businesses don’t have a strict waste disposal policy, this could result in a data breach, which would then result in regulatory investigations as well as reputational damage. GDPR penalties can reach up to £17.5 million or 4% of global turnover, which can turn disposal failures into a severe high-impact risk.
Customers expect that their personal data is protected at all times, including when it is thrown away. Weak waste policies can undermine trust, even if organisations have strong cybersecurity policies in place.
Mark Hall, Waste Management expert at BusinessWaste.co.uk, said, “Most data breaches we hear about are treated as technical failures, but many of the risks we see are behavioural. It’s not that organisations don’t care about data protection, it’s that disposal is often handled by different teams, with less training and less scrutiny.”
“What catches many businesses out is that they think once paperwork is thrown away, no one will see it. In reality, if you can’t provide evidence of how data was destroyed, you can’t provide evidence of your compliance. From a regulatory perspective, that’s a serious weakness.”
“The organisations that get this right don’t treat disposal as a housekeeping task; they plan it into projects from the start, budget for it properly, and make sure someone is accountable. That approach protects customers, but it also protects the organisation when something goes wrong.”
Leave a Comment