Finish the year as you mean to start the next: organised, compliant, with all your data tucked up safe and secure in watertight confidential disposal processes that put protection at the heart of what they do. Go on, treat yourself!

The most recent Data Security Incident Trends document published by the Information Commissioner’s Office (ICO) covers Q2, April to June 2025, and reports that the number of data breach incidents was 3,242, representing a 6% increase on Q2 2024.

It would be easy to think that the high-profile cyber-attacks on Marks & Spencer, Co-op, and Jaguar Land Rover, for example, would account for much of that increase and yet, non-cyber incidents made up 76% of reported losses – a 14% rise over the same period last year.

What to do, and why: our 9-point plan

1. Draw up a data inventory – what type of confidential information do you collect, where do you store it, what protocols have you set up to protect it, and how does it move through your organisation? Knowing what you have and where you keep it is a critical first step.

2. Review your data retention policy – certain types of confidential data must be kept for specific lengths of time – usually years – before secure disposal. Make sure you know what your obligations are to comply with the law, and maintain your business’ integrity in your customers’ eyes by tweaking your policy accordingly. Naturally, you should check you are compliant as you review…

3. Keep data secure in between disposal collections – slotted, lockable wheelie bins and cabinets are a pre-requisite in office and other workplace settings; under-desk and desktop secure cardboard boxes are great for perhaps lower traffic environments and those who work from home. The bottom line is, even if it’s waste, your data must be protected from bad actors – or human error – while it awaits collection. This will be a more complex process to get right if you don’t have secure disposal services set up – you know what to do! Restore Datashred can help.

4. Update your compliance policies and procedures – when many office-based colleagues started working from home in 2020, which has since morphed into the hybrid working model, did you update your home audit procedures to include cybersecurity, physical data protection and disposal processes? In any case, new threats via technology which plays on the capacity for human error, eg, phishing, need to be worked into your organisation’s ways of dealing with challenges and responding to incidents.

5. Set up initial and refresher training for all colleagues – whether your teams work out of office, in office, or are essential workers, they will handle some sort of confidential information as part of their job. Are they all aware, through training, of the mandatory nature of data protection? Can they spot a scam or phishing attempt? As new technology, and new ways of hacking or breaking it, emerge at breakneck speed, so you need to ensure your colleagues are kept up to date. Education is key to helping stem human error.

6. Review your third-party agreements – when you start working with suppliers, partners and third-party vendors, their data protection measures should be audited as a correct and legal fit with your own business protections and imperatives.

7. What is your incident response plan? – the ICO, in tandem with this country’s GDPR legislation, demands an incident report within 72 hours of detection. But there is so much more to consider: customer and colleague communication, ramifications of the exposure, detection processes, colleague training, and so on. Having a Plan B, and a communications plan, are key to your damage limitation.

8. Document everything! – decisions, procedures, audits and training sessions demonstrate accountability and proactive compliance with legal requirements.

9. Make sure disposal is 100% secure, for paper and digital information – no prizes for guessing this would be our final point! Safe, secure destruction, tracked from your place to ours in an unbroken chain of custody, before being shredded and sent for secure recycling is a no-brainer if you have all your secure systems in place. It’s the final piece in the jigsaw of compliant data protection.