Customer Login
The Data Protection Act 2018 – GDPR – is altering. Are you up to date with what the law requires of you and your business?
Changes to GDPR
Two years ago, we wrote about potential changes coming down the line from proposals outlined in the UK government’s Data Protection and Digital Information Bill. That legislation is on hold. However, changes to what we all call GDPR are, indeed, afoot.
This is because the Data (Use and Access) (DUA) Act was given royal assent on 19 June 2025, with changes to several pieces of legislation that it affects being phased in from now until June 2026.
Our concern here at Restore Datashred is always with data protection and high levels of security at data’s end-of-life stage, so let’s examine what GDPR currently stipulates, and how the DUA Act could lead to some operational tweaks and alterations being required for your business.
The seven principles of GDPR-compliant data handling are:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
What the DUA Act wants to make easier
Our concern here at Restore Datashred is always with data protection and high levels of security at data’s end-of-life stage, so let’s examine what GDPR currently stipulates, and how the DUA Act could lead to some operational tweaks and alterations being required for your business.
- ‘Recognised legitimate interests’ have a new, lawful basis
- Assumption of compatibility
- ‘Soft opt-in’ for charities
- Subject access requests (SARs).
Where the DUA Act requires action*
Two areas may need you to make changes to your current set-up.
Children's online services
Children’s online services must now take their needs into account when you decide how to use their personal information.
Data protection
Data protection complaints must be enabled by provision of, for example, a data protection complaint form, with a process in place to acknowledge the complaint within 30 days and respond without undue delay.
What does the DUA Act mean for data disposal?
As in, there is still the urgent need for any business or organisation, of any size and sector, to make sure the confidentiality of the personal, sensitive information they handle is watertight. This confidentiality must be implemented from the moment of data’s creation to the moment of its destruction, and covers information including direct marketing opt-ins, HR records, financial and account documents, customer correspondence (any format), banking details, and telephone call recordings. Confidentiality also encompasses the individual’s right to be deleted from your systems, on demand.
Compliance with all data protection legislation entails setting aside budget to provide for issues such as secure data management, part of which should include secure end-of-life data shredding by a professional company.
What happens if you get data disposal wrong?
Current news concerns itself with cyber-attacks taking down high street names or national airlines’ customer databases, but sensitive paper and digitally based data are not immune. If you have a leaky system, working practices or poorly conceived security protocols, there’s an increasing risk someone will take advantage to gain leverage over your business, aka, blackmail! Suffer a data breach and the Information Commissioner’s Office (ICO) can fine you and, even worse, your reputation will be damaged, your customers’ trust broken.
How to get secure data disposal right
Check your retention and disposal policy is fit for purpose. You do have this policy, right?
Employ a data protection officer or train someone on the team – yourself? – to carry out this role.
Set up a secure waste stream, which includes lockable cabinets or bins to keep sensitive information away from prying eyes.
Avoid using an in-house shredder as not only is it a time-consuming chore, but it also creates risk with piles of confidential documents or discs left unguarded in the queue.
Use an accredited, professional data shredding company to destroy your obsolete data, the bonus being that they will send the paper shreds and plastics, metals and other materials from electronic storage media to be recycled.
Step up, Restore Datashred!
Maintaining your, and your customers’, confidentiality and data security is our core business goal. We understand GDPR legislation, with amendments and changes required by the DUA Act 2025, and can implement an audited unbroken chain of custody from your workplace to our shredding blades. Choose any of our services and you will know that they all meet the same high standards.
All our services are backed by our accreditations, industry association memberships, our commitment to 0% to landfill, and our excellent customer service (rated ‘Excellent’ by them, on Trustpilot). Our teams are enthusiastic and well informed, and fully understand the potential impacts of this new legislation on your data protection compliance. Find out how we can help you meet the challenges of secure data management and disposal by calling 0330 162 0033.
Our ESG JourneyRecent news
