Security, privacy and safeguarding of personal data is an underlying theme of the GDPR. That principle applies to how documents containing personal or sensitive personal details are ultimately destroyed.
Personal or sensitive personal records should not exceed their retention periods and should be destroyed in a timely and secure manner. Data Controllers and Data Processors need to demonstrate that records have been destroyed, and have ‘evidence’ of the process that was used for the destruction.
“A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.” ICO
Shredding is the safest solution. Using an outsourced service, such as that provided by Box-it Central, is not only a process that is tracked and conducted in very secure conditions; it is a process that culminates with the issue of Certificates of Destruction.
The GDPR stipulates that you keep a record of your processing activities to demonstrate that you are compliant.
“The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability.” ICO
This is outline guidance only. Please refer to the ICO website for detailed information on compliance.