Setting up a destruction policy for SMEs: what to include, with an example
A destruction policy records, in a short guideline, what you destroy, at what DIN level, how often, who is responsible and how you keep the proof. For an SME half a page often suffices. It turns confidential destruction into a fixed working method instead of a separate action, and that helps you comply with the GDPR.
Many SMEs do destroy confidential paper, but record nowhere how. At an inspection or a data breach the question then comes what your working method is, and a short policy is the answer. In this article you read what a destruction policy is, what to include, how to write it in a few steps and you find an example you can adopt.
Why a destruction policy?
A policy solves two things. It makes the working method clear for your staff, so everyone knows what is confidential and how it is destroyed. And it makes your approach demonstrable to a supervisor or auditor, because you can show that care was arranged and not left to chance. The GDPR does not prescribe a fixed document, but the accountability principle makes such a guideline very handy in practice.
What is a destruction policy exactly?
A destruction policy is not a legal contract, but an internal guideline. It describes in plain language how your organisation handles clearing out confidential information. Unlike a one-off instruction, it is a fixed document everyone can refer to. It does not have to be extensive, the simplicity is precisely what makes it usable. Half a page with clear arrangements works better than a thick document no one reads.
Who is a destruction policy for?
Every organisation that processes personal data benefits from a destruction policy, from a sole trader to an SME with dozens of staff. The more people have access to confidential documents, the more important clear arrangements are. An accounting firm, a healthcare practice, a webshop or an HR department all produce sensitive paper. For all of them a short guideline helps to clear it out neatly and demonstrably. For a small business half a page is often already enough.
What should a destruction policy include?
A workable destruction policy for an SME contains six elements:
- What is confidential? Which documents and data fall under it.
- Which level? At what DIN 66399 level you destroy.
- How often? The frequency of clearing out and collection.
- Who is responsible? Who keeps the overview and arranges the collection.
- The proof. How you keep the certificate and note it in the record.
- Data carriers. How you handle hard drives, USB sticks and phones.
Below we go through the six elements, so you can fill them in one by one.
Element 1: what is confidential?
Start by defining what falls under the policy. Anything with personal data or business-sensitive information belongs to it, such as personnel files, client data, financial records, contracts and internal notes. The rule of thumb for staff is simple, if you doubt whether a document is sensitive, treat it as if it is. What exactly counts as confidential is in destroying confidential documents.
Start with the retention periods
A good destruction policy starts with knowing when something may go. Some documents you are required to keep, such as records kept for seven years for tax. Include in the policy a reference to the retention periods that apply to your sector, so staff do not destroy too early. Only once the period has passed does a file go into the destruction. An overview of common periods is in the GDPR retention periods cheatsheet.
Element 2: at what DIN level?
Record at what level you destroy. For ordinary office documents P-4 is the workable minimum, for ID numbers and medical data P-5 is appropriate.
| Level | Particle size | Suitable for |
|---|---|---|
| P-2 | Strips | General print without data |
| P-4 | Small particles | Documents with personal data |
| P-5 | Very small particles | ID numbers, medical and special data |
By including the level in the policy, you can later show it was appropriate. More on the levels is in DIN 66399 explained.
Element 3: how often and when?
Set a fixed frequency. Many SMEs choose a locked bin emptied monthly or quarterly, supplemented by a yearly review of files whose retention period has passed. So clearing out becomes a rhythm instead of a postponement item. The trade-off between periodic and one-off is in recurring versus one-off destruction.
Element 4: who is responsible?
Appoint someone who keeps the overview, for example the office manager or the data protection officer. Record briefly who decides which files may go, who plans the collection and who keeps the certificates. Half a page of working arrangements prevents confidential paper from lying around because no one feels responsible.
Element 5: recording the proof
Describe how you keep the proof. After every collection you receive a certificate of destruction, which you archive digitally and note in your record of processing. So it is demonstrable that you not only have an arrangement, but also carry it out. How demonstrability works is in demonstrable destruction for the GDPR.
Element 6: data carriers
Do not forget the digital side. Personal data is also on hard drives, USB sticks and phones. Record that written-off carriers are physically destroyed and registered on serial number. They can come in the same collection as the paper. So the policy covers the whole confidential flow, not just the paper.
Difference with a clean desk policy
A clean desk policy and a destruction policy are often confused, but they complement each other. A clean desk policy is about the workplace, not leaving confidential documents lying open at the end of the day. A destruction policy is about what happens to those documents afterwards, how and when they are destroyed. Together they close the circle, from the desk to the locked bin to the certificate. More on the workplace side is in clean desk policy and destruction.
An example to adopt
A policy does not have to be complicated. An example for an SME office could read:
All documents with personal data or business-sensitive information are destroyed confidentially at DIN 66399 P-4. Special personal data is destroyed at P-5. Staff deposit these documents in the locked bin by the printer. The bin is collected and destroyed quarterly by a certified provider. Each year the office manager reviews which archive files are past their retention period and plans an extra collection for them. Data carriers are physically destroyed on serial number when written off. For every destruction the certificate is kept digitally and noted in the record of processing. The office manager is responsible for the execution.
Adapt the details to your situation and you have, in half a page, a workable policy.
Template or write your own?
You do not have to reinvent the wheel. The example above works as a template, you only fill in your own level, frequency and responsible person. Writing your own has the advantage that the policy fits exactly your working method and is recognisable to your team. Start small with the six elements and only expand if your situation calls for it. A short policy that is right is worth more than an extensive policy no one follows.
How do you write it?
- Take stock of which confidential flows you have, paper and digital.
- Choose the level and frequency that suit your data.
- Appoint a responsible person and record the working arrangements.
- Describe the proof, the certificate and the note in the record.
- Share the policy with your staff and include it in the onboarding of new people.
The link with the GDPR
A destruction policy aligns with the accountability principle from article 5(2) of the GDPR. You must not only handle personal data carefully, but also be able to show it. The policy shows that clearing out is part of your information security. The certificates provide the proof each time. What else the GDPR asks of SMEs is in GDPR requirements for SMEs.
The policy and the collection service
A policy on paper is only complete once the execution is arranged. A collection service makes that easy, because you have the paper and data carriers collected and destroyed at your location, with a certificate as proof. You do not have to take anything away yourself and the chain stays closed. Whether you have a fixed bin emptied quarterly or clear out the archive cabinet yearly, the same service executes your policy. So the policy is no paper tiger but a working practice.
What does executing the policy cost?
Writing a policy only costs some time, executing it costs a fixed price per collection. You pay from about 30 euro for the first box. Data carriers are settled per item. Within 20 km of Amsterdam we charge no call-out fee. A fixed bin with periodic collection often works out cheaper per time. The full pricing is in archive destruction cost, so you can estimate the execution of your policy in advance.
Demonstrable in an audit or inspection
The big advantage of a destruction policy shows in an audit or an inspection by the data protection authority. You then show not only individual certificates, but also the policy they come from. That makes a more convincing impression, because it shows care is embedded in your organisation and not left to chance. An inspector sees in a few minutes that you have an arrangement and carry it out too.
Implementing and keeping it alive
A policy on paper that no one knows does not work. Share it briefly with your team, for example in a work meeting. Also include it in the onboarding of new staff. Review the policy once a year and adapt it if something changes, for example a new type of data or a different frequency. So it stays a living document instead of a forgotten file on a shared drive.
A policy is never quite finished
Organisations change and your policy changes with them. If a new type of sensitive data arises, you start working more digitally or the frequency changes, adapt the policy. A yearly five-minute look is enough to check whether the arrangements still hold. So you prevent the policy becoming outdated and it stays usable in an inspection. A living document weighs more heavily in an audit than a version from years ago.
Practical tips
- Keep it short, half a page with clear arrangements works best.
- Share the policy and include it in the onboarding of new staff.
- Do not forget the data carriers alongside the paper.
- Keep the certificates digitally and note them in the record.
The policy and the record of processing
The destruction policy and the record of processing belong together. The record states which data you process and for how long, the policy describes how you clear it out afterwards. A reference both ways makes the whole conclusive. So a supervisor sees that the retention period is not only on paper, but also carried out. How to set up that record is in the record of processing for archives and destruction.
Common mistakes
- No policy, only separate actions. Then you cannot show at an inspection that there are arrangements.
- Not sharing the policy. A guideline staff do not know does not work.
- Forgetting the digital side. Data carriers belong in it just as much as paper.
- Not recording proof. Without certificates in the record it remains good intentions.
A real-world example
Imagine an administration office with eight staff had no recorded working method for confidential paper. After a question from a client the office decides to set up a short policy. On half a page it states what is confidential, that it is destroyed at P-5, that the bin is collected quarterly and that the office manager keeps the certificates. The policy is shared in a work meeting. When half a year later a client asked how the office handles old files, it could show the policy in a few sentences, with the certificates as proof.
Make destruction a fixed part of your policy?
We collect your confidential paper and data carriers, destroy them to the right DIN level and provide a certificate as proof. So you execute your policy easily. No call-out fee within 20 km of Amsterdam.
Request a quoteFrequently asked questions
What is a destruction policy?
A short guideline that records what you destroy, at what DIN level, how often, who is responsible and how you keep the proof. Half a page often suffices.
Is a destruction policy mandatory?
The GDPR does not prescribe a fixed document, but through the accountability principle you must be able to show you handle personal data carefully. A policy makes that easy.
What should it contain at minimum?
What counts as confidential, the DIN level, the frequency, the responsible person and how you keep and register the certificate.
How long is a destruction policy?
For an SME half a page to a page often suffices. It is about clear arrangements, not a hefty document.
Does a clean desk policy belong with this?
Yes. A clean desk policy and a destruction policy complement each other. See clean desk policy and destruction.
Conclusion
A destruction policy turns confidential destruction into a fixed, demonstrable working method. Record in a short guideline what is confidential, at what level you destroy, how often, who is responsible and how you keep the proof. Do not forget the data carriers and share the policy with your team. Half a page is enough to show, at an inspection or a question from a client, in a few sentences that you have it neatly arranged.
Execute your policy with a certificate? Request a quote via desnipperaar.nl or read how demonstrable destruction for the GDPR works. You receive a certificate as proof.