7 mistakes when destroying business documents
Destroying documents seems simple, but it is precisely in the details that things go wrong. A stack in the paper recycling, an office shredder that cuts too coarsely, or destruction without any proof. They are small choices with large consequences. These are the seven mistakes we come across most often, and for each one how to do it right.
The quick answer. Most mistakes come down to three things. You destroy too coarsely, you destroy at the wrong moment, or you destroy without demonstrable proof. Whoever has those three in order meets the GDPR and prevents a data breach. Below we work them out into seven concrete pitfalls, and each one is easy to fix once you recognise it.
Mistake 1. Putting confidential paper in the recycling
The classic. A full box of old quotes, personnel records or customer data disappears into the blue container or the paper recycling. An open bin is not destruction. Until the moment the paper is processed, everything stays readable, and a container that tips over or a stack that leaves with the wrong person is a reportable data breach. The route from the office to the recycling plant runs through many hands, and you have no control over any of them. Collect confidential paper in a closed bin instead and have it destroyed as a confidential volume. What does and does not belong in the paper bin is set out in what does not belong in the paper bin.
Mistake 2. Relying on a strip-cut office shredder
An office machine that cuts straight strips feels safe but is not. Strip-cut leaves long strips behind that, with a little patience, can be reconstructed, certainly for a single sensitive document. For confidential material you choose cross-cut at the right level, which turns a page into hundreds of small particles rather than a handful of readable ribbons. Which level you need is explained in cross-cut versus strip-cut and DIN 66399 explained. For volume or genuinely sensitive data you have it destroyed externally on an industrial scale.
Mistake 3. Destroying too early and breaching a retention obligation
Clearing out is good, but clearing out too enthusiastically can cost you dearly. The administration falls under the seven-year tax retention obligation, and some documents under a longer period. If you throw away an invoice or a contract too early, you are left empty-handed at an audit or in a dispute. Test every category against its period before you destroy it, and note down which documents may go and when. The overview is in the GDPR retention periods cheatsheet and the 7-year tax retention obligation.
Mistake 4. Destroying too late and keeping data forever
The opposite mistake happens just as often. Boxes of old files stay put for years because nobody knows whether they may go. The GDPR sets a storage limitation, so personal data is kept no longer than necessary. An archive that only keeps growing is a risk that keeps growing, because in a data breach everything is out that you could have cleared away. Plan a fixed moment to destroy files that have passed their period, so the backlog never builds up again. How to tackle that is set out in the archive clean-up step-by-step plan.
Mistake 5. Forgetting the data carriers
Document destruction has long been about more than paper. Old hard drives, USB sticks, backup tapes, phones and the fixed disk in a multifunction printer often hold the same data as the paper. Wiping, moreover, is not the same as destroying, because deleted files can be recovered from a drive that still works. Take data carriers into your destruction policy as standard and have them physically destroyed. Why wiping falls short is explained in wiping versus destroying a hard drive.
Mistake 6. No certificate and therefore no proof
Whoever destroys without proof can demonstrate nothing afterwards. The GDPR asks for demonstrability, and without a certificate you do not know what was destroyed, when and at which level. A certificate of destruction with the date, quantity and DIN level is your proof towards the supervisory authority and for your own file. Always ask for one and keep it with your record of processing. What exactly belongs on it is set out in the certificate of destruction explained.
Mistake 7. Not closing the chain
Even with the right shredder things go wrong if the route towards it lies open. Paper that stands for days in an open bin in the corridor, a box that ends up unattended at reception, or transport without a seal. Anywhere in that chain something can leak away. Work with closed bins, sealed transport and a watertight handover all the way to the shredder, so nobody unauthorised touches the material in between. What that chain looks like is explained in chain of custody from archive to shredder.
How to prevent all seven in 5 steps
- Separate confidential from ordinary paper in closed bins, not in the recycling.
- Test every category against its retention period before you destroy anything.
- Include the data carriers in the same policy as the paper.
- Choose the right DIN level or have it destroyed externally for volume.
- Ask for a certificate and record the destruction in your register.
Have business documents destroyed without mistakes?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteFrequently asked questions
What is the biggest mistake when destroying business documents?
Putting confidential paper unshredded in the recycling. An open paper bin or container is not destruction. The data stays readable until the paper is processed and a lost or removed stack is a reportable data breach.
Do I need a certificate of destruction?
For your own file, yes. Without a certificate you cannot demonstrate what was destroyed, when and at which level. The GDPR asks for demonstrability, and a certificate with the date, quantity and DIN level is the proof that you acted carefully.
May I destroy business documents straight after use?
Not always. The administration falls under the seven-year tax retention obligation and some documents under a longer period. Do not destroy too early, because then you breach a retention obligation, and not too late, because then you keep data longer than the GDPR allows.
Is an office shredder enough for confidential documents?
For a single sheet sometimes, for volume and sensitive data not. A strip-cut office machine cuts too coarsely and can be reconstructed. For confidential material you choose a cross-cut at the right DIN level, or you have it destroyed externally with proof.
Conclusion
The seven mistakes share a common denominator. They arise where convenience wins over care, at the bin in the corridor, the office shredder or the box that keeps standing. Separate confidential paper, test against the retention period, include the data carriers, choose the right level and always ask for a certificate. Then document destruction is no longer a risk but a watertight part of your GDPR policy.
Read also: 7 data carriers you cannot just throw away, 10 moments to destroy business documents, choosing a document destruction company in 12 points, reporting a data breach in 72 hours, setting up a destruction policy for SMEs and the GDPR retention periods cheatsheet.
Have business documents collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.