Data controllers and processors: a match made in GDPR heaven

With the EU General Data Protection Regulations in place, GDPR is on the agenda for most businesses.


We thought we’d take a look at an aspect of confidential paper shredding and data destruction that relates to GDPR. It all stems from a fundamental element of our shredding process; the fact that confidential data needs to be both controlled and processed.


Who controls and who processes?


Put simply, our customers, the businesses for whom we provide our shredding services, are data controllers and we are their data processors. We recognise that data controllers need to prove to the people that they report to that they have chosen competent and compliant data processors.


As a result, data controllers need to be able to ensure that all procedures are being adhered to and all regulations complied with when confidential data is being processed and destroyed.


GDPR compliance and secure shredding


In light of GDPR, renewed focus is being placed on the secure retention and destruction of personal data. GDPR strengthens data protection legislation and, in the event of a data breach right now, non-compliance results in a fine. Do you know if your current shredding service meets GDPR regulations?


Compliant, competent, reliable shredding


There are three areas where you can demonstrate that, as a data controller, you are employing the services of a proficient data processor.




An ability to show that the shredding process being used is trackable is vital for GDPR compliance. A reputable shredding company will be able to provide a thorough audit trail.


Ensure that your shredding services provider can show that they:


– Use lockable confidential data consoles to dispose of sensitive documents
– Never leave any waste unattended
– Comply with BS EN15713:2009 standards
– Store all shredded material securely


Cost vs compliance


Storing documents and data in an unsecured place may reduce costs but it will increase the risk of data breach, fines and reputational damage. By using a regular document destruction service with a trusted supplier, you can remove any storage-related risks.

A fully-accredited shredding company will have the sufficient security levels to ensure the integrity of any data that they process.




The decision to keep paper documents for a fixed period of time will differ from sector to sector. Businesses will have different requirements, and legal obligations, based on the data and documents that they control and manage.


Data controllers will probably know what those requirements are but an experienced shredding company should be able to offer help and advice. As you can imagine, as a fully-accredited secure shredding company here at Restore Datashred we can offer help, support and compliance with all of the factors highlighted here.


If you’d like to find out more about how we can build a strong data-controller/data-processor relationship with your business, contact our team today.

0800 376 4422