Businesses are still mishandling paperwork and devices containing personal information…

GDPR came into effect in the UK in May 2018. Years have passed, yet hundreds of UK businesses are still breaching data by not securing paperwork and devices.

The Data Security Incident Trends report published by the Information Commissioner’s Office indicates that there were 1,332 data breaches reported in Q1 and Q2 of 2023 caused by the loss, theft, or incorrect disposal of paperwork or devices containing personal data. Of these, 1,014 of the businesses that suffered the breaches faced action from the ICO. A further 37 are under investigation. The highest number of incidents were reported in the health sector, followed by the education and childcare sector. Some of the most sensitive personal information available is held by these two sectors, so this is a cause for great concern.

Data security industry trends by sector

With GDPR now firmly engrained into the UK business landscape, it raises two questions. First, why is this still happening? The second is how can we prevent it?

Improve employee awareness around GDPR.

Data breaches often occur because of human error. Ensuring GDPR is on your employees’ minds is the best way to avoid human error occurring. One way to do this is by providing GDPR training. At Shred Station, every employee is trained around GDPR and its core principles as part of their onboarding. We also provide training on EN 15713 security shredding standards. However, as time goes on, we also believe it’s important to provide bite-size refresher training to ensure these principles are not forgotten. One platform we highly recommend is uSecure. This platform has an extensive ready-built course library including training in all key areas of information security. It also has the ability for you to create custom courses. You can even use the platform to conduct phishing tests, identifying any employees who may need extra help in recognising other information security red flags.

Another way to get employees thinking about GDPR is by using dedicated bins for confidential waste. This is especially important for employees who process a lot of paperwork. By positioning confidential waste bins around your premises and displaying awareness posters about what can and cannot be placed inside them, you can keep document and device security at the forefront of your employees’ minds.

Implement a ‘Shred Everything’ policy.

Implementing a ‘Shred Everything’ policy will reduce the risk of human error. Destroying all paper or devices you no longer need will prevent employees from making the wrong judgement call when it comes to whether documents or devices should be treated as confidential. It will also help to ensure you are not keeping any personal information longer than is necessary. This is another requirement of GDPR (Principle E).

You can further improve the security of your unwanted devices and documents by outsourcing their destruction. Reputable and fully accredited shredding service suppliers will be able to provide regular or one-off services to suit you. The right company will provide the option of on-site shredding or off-site, giving you the option to witness the destruction as it occurs or to simply have it taken away for destruction at a secure facility. By using a shredding service, you entrust your confidential materials into the safe hands of security-vetted personnel and ensure you receive proof of destruction. This proof of destruction will serve as evidence of compliance with GDPR.


Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.