GDPR is not only about how personal data is collected and stored. It also covers what happens at the end of the lifecycle. When personal data is no longer needed, it still needs to be protected right up to the point it is destroyed.
This guide explains what secure disposal looks like in day-to-day business, how to set up a routine that staff will actually follow, and what proof to keep on file.
Start with the obvious, then include the awkward places:
If you do not know where personal data lives, it is hard to dispose of it safely.
You do not need a massive policy. You need clarity.
A short table is enough:
The goal is consistency. Without it, paper piles up and old devices sit in cupboards for years.
Old files still contain personal data. Devices still hold data. If material is waiting to be destroyed, it still needs protection against loss, theft, or unauthorised access.
For day-to-day paper disposal, locked consoles keep confidential paper secure between collections.
For bulk clear outs, pick one secure holding area and stage everything there before the visit. Avoid spreading boxes across floors.
We shred paper on-site using mobile shredding trucks.
For regular shredding, paper is collected from secure units and destroyed as part of the scheduled process.
For one off clear outs, locked bins are used during handling and shredding is completed on your premises before we leave.
Deleting files and formatting devices are not the same as destruction.
For secure on-site IT destruction, data-bearing media is physically shredded on your premises under controlled handling. Media is supervised throughout the visit and is shredded into 20mm fragments, with 6mm available on request.
Proof is where organisations often slip. Destruction happens, then the record is lost.
For paper shredding, Certificates of Destruction are supplied after each visit or on a monthly or annual basis, depending on the service setup.
For secure on-site IT destruction, a Certificate of Destruction is provided after every job.
A simple folder structure:
Compliance → Data Disposal → Certificates of Destruction → Year → Month
If you manage multiple sites, include the site name in the file name.
A quick check keeps the routine working:
This takes minutes and prevents problems building up.
If shredding is outsourced, the organisation still carries the responsibility for choosing a secure provider and keeping evidence.
Practical checks usually include:
We are NAID AAA certified, ISO 9001 accredited, and EN15713 accredited. Our shredding staff are Garda vetted. Our vehicles use slam lock door systems and GPS tracking.
“All confidential paper records and data-bearing devices that are no longer required for business or legal purposes must be disposed of securely. Paper is placed into secure units and destroyed through scheduled shredding, or through a one off clear out when required. Data-bearing devices are destroyed through on-site media shredding. Certificates of Destruction are filed in the compliance folder to support audit and accountability.”
Yes. If a paper record contains personal data, it needs the same care as digital records.
Not always. Many organisations choose physical destruction to remove doubt and close the loop properly.
Certificates of Destruction, plus a short internal note of what was destroyed and when.
Yes. Certificates are supplied after each visit or on a monthly or annual basis, depending on the service setup.
Yes. A Certificate of Destruction is provided after every IT destruction job.
Yes. Asset tracking can be provided, with or without video evidence if required.
