GDPR & Data Destruction During an Office Move
An office move is one of the highest-risk moments for a data breach. Confidential documents get boxed up carelessly, old hard drives end up in skips, and equipment disappears between floors. GDPR doesn't pause for moving day — and the penalties for getting it wrong are severe.
Why GDPR Matters During an Office Move
Data breach risk spikes during an office move. Boxes of confidential files sit in corridors, unlocked skips overflow in the car park, and IT equipment travels between premises in the back of vans. Every one of these moments is a potential breach — and the ICO won't accept "we were moving" as an excuse.
The stakes are serious. The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for GDPR violations. Even if a fine doesn't materialise, a reportable breach damages client trust and can trigger regulatory scrutiny that lasts months.
Personal data isn't just customer databases. It includes employee records, client files, HR documents, medical records, financial data, and any correspondence containing identifiable information. During a clearance, these materials often surface from filing cabinets that haven't been opened in years — and they need to be handled with the same care as live records.
A critical point that many organisations miss: you remain the data controller even when you hire a clearance company to remove and destroy your waste. The clearance company acts as a data processor under GDPR. This means you need a written data processing agreement under Article 28, and you're responsible for ensuring they handle personal data correctly. If they dump your confidential waste in a public skip, it's your breach, not theirs.
Paper Documents: What to Shred and How
Paper is the most common source of data breaches during office clearances. Filing cabinets, desk drawers, and storage rooms accumulate years of documents that contain personal data — and sorting through them under time pressure leads to mistakes.
What counts as confidential waste
- Personal data — anything with names, addresses, phone numbers, email addresses, National Insurance numbers, or other identifiers
- Financial records — invoices, bank statements, payroll records, expense claims, tax documents
- Legal documents — contracts, agreements, court documents, legal correspondence
- HR files — employee records, disciplinary proceedings, performance reviews, sickness records, references
- Client correspondence — letters, printed emails, meeting notes, project files containing client information
- Medical records — occupational health reports, fit notes, disability assessments (these are special category data under GDPR and require the highest level of protection)
Shredding standards
Cross-cut shredding is the minimum acceptable standard for confidential documents. The European standard DIN 66399 defines security levels:
| Security Level | Particle Size | Suitable For |
|---|---|---|
| P-3 (cross-cut) | ≤ 320 mm² | General confidential documents, internal correspondence |
| P-4 (cross-cut) | ≤ 160 mm² | Personal data, financial records, HR files |
| P-5 (micro-cut) | ≤ 30 mm² | Highly sensitive data, legal, medical records |
| P-6 / P-7 | ≤ 10 mm² / ≤ 5 mm² | Government classified, intelligence, defence |
For most office clearances, P-3 is the baseline and P-4 is recommended for anything containing personal data. If you handle sensitive categories — medical, legal, financial — consider P-5 or higher.
On-site vs off-site shredding
On-site shredding means a mobile shredding vehicle comes to your premises and destroys documents while you watch. It's more expensive per kilogramme but gives you full visibility and an immediate certificate. Off-site shredding involves collecting locked bins and transporting them to a destruction facility — it's cheaper for large volumes but requires you to trust the chain of custody. For most office clearances, on-site shredding is the safer choice for the most sensitive materials, with off-site handling the bulk.
One absolute rule: never use open-top skips for paper. A single visible document containing personal data constitutes a breach. All confidential paper waste should go into locked, tamper-evident containers from the moment it leaves the filing cabinet.
Every batch of destroyed documents should generate a destruction certificate stating the date, volume, method, security standard used, and a unique reference number. Keep these — they're your evidence of GDPR compliance.
Digital Data: Hard Drives, Servers, and Equipment
Digital data destruction is where many organisations fall short during a move. Old PCs get stacked on pallets, servers are unplugged and left, and hard drives end up in general waste. The data on these devices is recoverable — and in the wrong hands, it's a serious breach.
Why deleting isn't enough
Simply deleting files, emptying the recycle bin, or even reformatting a hard drive does not destroy the data. Standard deletion only removes the file system's reference to the data — the actual data remains on the disk and can be recovered with freely available software. For GDPR compliance, you need certified data wiping or physical destruction.
Data wiping standards
- HMG IS5 (Infosec Standard 5) — the UK government baseline for sanitising storage media. A single overwrite pass for lower-classification data, three passes for higher. Widely accepted in the UK
- NIST 800-88 — the US National Institute of Standards and Technology guideline for media sanitisation. Recognised globally and commonly used by UK businesses
- IEEE 2883 — a newer standard covering modern storage media including SSDs, which older standards don't fully address
When physical destruction is necessary
Some drives can't be reliably wiped — failed drives that won't spin up, SSDs with firmware-level encryption issues, or media where the highest assurance is needed. In these cases, physical destruction is the answer:
- Degaussing — a powerful magnetic field scrambles the data on magnetic media (HDDs, tapes). Not effective on SSDs
- Shredding — industrial shredders reduce drives to small fragments. Works on all media types and provides the highest assurance
- Crushing/puncturing — physically damages the platters so they cannot be read. Less thorough than shredding but sufficient for most purposes
Don't forget these devices
Servers and network equipment are the obvious targets, but they often contain more than expected — cached credentials, configuration data, DHCP logs, and VPN settings. These all need wiping before disposal. Equipment that's frequently overlooked:
- Network switches and routers — contain configuration files, access credentials, and sometimes cached traffic data
- Mobile phones and tablets — company devices often contain emails, contacts, documents, and app data
- USB drives and external hard drives — easy to lose, frequently contain sensitive files copied "just in case"
- Printers and copiers — modern multifunction devices have internal hard drives that store copies of every document printed, scanned, or faxed
- Backup tapes — often forgotten in storage rooms, containing complete system snapshots
IT equipment disposal must also comply with WEEE regulations. Electrical equipment cannot go to landfill and must be processed through approved waste channels. See our WEEE regulations guide for full details.
Need GDPR-compliant office clearance with certified data destruction?
Get a Clearance Quote →What Certificates and Documentation You Need
Proper documentation is the backbone of GDPR compliance during an office clearance. Without it, you have no evidence that data was handled correctly — and "we hired someone to deal with it" won't satisfy the ICO.
Certificates of destruction
You need a certificate for every batch of shredded documents and every destroyed storage device. Each certificate should state:
- Date of destruction
- Method used (cross-cut shredding, degaussing, physical destruction, etc.)
- Standard followed (DIN 66399 level, HMG IS5, NIST 800-88)
- Unique reference number
- Description of materials destroyed (quantity, type)
- Name and signature of the person who witnessed or carried out the destruction
Waste transfer notes
Legally required for all commercial waste removal in England and Wales — not just confidential waste. A waste transfer note must accompany every load of waste leaving your premises. See our waste transfer notes guide for what they must contain and how long to keep them.
WEEE compliance notes
For all electrical and electronic equipment being disposed of, your clearance company should provide evidence that items were processed through an approved WEEE treatment facility. This is separate from data destruction — it covers the environmental disposal of the physical equipment.
Data processing agreement
Under Article 28 GDPR, you must have a written agreement with any company that handles personal data on your behalf. This includes clearance companies that collect, transport, or destroy documents and IT equipment containing personal data. The agreement should cover: what data is being processed, the purpose, security measures, sub-processor arrangements, and what happens after processing is complete.
IT asset register
Maintain a list of all IT equipment with serial numbers, asset tags, and the disposal method for each item. This creates an audit trail from "device in use" to "device securely destroyed" — essential if you ever need to demonstrate compliance.
Retention periods
| Document | Minimum Retention | Notes |
|---|---|---|
| Waste transfer notes | 2 years | Legal requirement under Environmental Protection Act 1990 |
| Data destruction certificates | 6 years (recommended) | Aligns with limitation period for civil claims |
| WEEE compliance notes | 3 years (recommended) | Evidence of environmental compliance |
| Data processing agreements | Duration of relationship + 6 years | Keep as long as you may need to demonstrate GDPR accountability |
Store all certificates digitally alongside your compliance documentation. If the ICO comes knocking two years after your move, you need to be able to produce these quickly.
How to Choose a GDPR-Compliant Clearance Company
Not all clearance companies take data protection seriously. Some will promise "we'll sort it" without any formal processes, certificates, or standards. Here's how to separate the compliant from the careless.
Questions to ask
- Are you registered with the ICO as a data processor? — Any organisation that processes personal data on behalf of others should be registered. Check the ICO register to verify
- What data destruction standard do you follow? — They should be able to name specific standards (DIN 66399, HMG IS5, NIST 800-88) without hesitation
- Do you provide individual certificates of destruction per batch/device? — A blanket "we destroyed everything" letter is not sufficient. You need itemised certificates
- Where does shredding and destruction take place? — On-site, at their facility, or subcontracted? You need to know the chain of custody
- How do you transport confidential waste? — Locked vehicles, tamper-evident containers, GPS-tracked routes are best practice
- What happens to drives that can't be wiped? — The answer should be physical destruction with a certificate, not "we'll try again" or silence
- Will you sign a data processing agreement? — This is a legal requirement under GDPR, not a nice-to-have. Any reputable company will have their own template or happily sign yours
Red flags
- No certificates offered — or a single generic letter covering the entire job
- "We'll sort it" attitude to data — no specific processes described
- No written data processing agreement — or reluctance to sign one
- Unable to name their destruction standard
- Not registered with the ICO
- Subcontracting destruction to unknown third parties
- Using open-top skips or unsecured vehicles for confidential waste
Sector-Specific Requirements
GDPR applies to every organisation, but certain sectors have additional regulatory obligations that affect how you handle data during an office move.
Law firms (SRA)
The Solicitors Regulation Authority requires firms to maintain confidentiality of client information at all times — including during a move. Client files, case papers, and correspondence must be securely destroyed if not being retained, and destruction records must be maintained as part of your compliance documentation. The SRA's rules on confidentiality survive the end of a retainer, so files from closed matters still need proper handling. See our law firm sector page for more on office moves in legal practices.
Financial services (FCA)
FCA-regulated firms have prescriptive record retention requirements. MiFID II records must be kept for 5 years. Mortgage and insurance records have their own retention schedules. Before destroying anything during a clearance, cross-reference your retention policy — accidentally destroying records you're required to keep is a compliance failure in its own right. A thorough audit of what needs to be retained vs what can be destroyed should happen well before moving day. See our financial services sector page for further guidance.
Healthcare (NHS DSPT)
Organisations handling NHS patient data must comply with the NHS Data Security and Protection Toolkit. Caldicott principles apply to all patient-identifiable information, and destruction of patient data requires the highest security standards — P-5 or above for paper, physical destruction for storage media. Health records are special category data under GDPR, carrying the most severe penalties for mishandling. See our NHS sector page for healthcare-specific guidance.
Education
Student data is subject to additional protections, particularly for under-18s. SEN (Special Educational Needs) records are especially sensitive and may contain medical, psychological, and family information. Schools and universities moving premises should pay particular attention to archived student records, which can accumulate over decades and are often stored in rooms that aren't regularly accessed. A pre-move data audit is essential.
Frequently Asked Questions
Do I need to shred all paper when moving office?
Not all paper, but anything containing personal data, financial information, or confidential business data must be securely destroyed rather than simply recycled. When in doubt, shred it — the cost of shredding is negligible compared to a data breach. General business waste like marketing brochures, blank paper, and non-confidential publications can go through standard recycling.
Who is responsible for data destruction during office clearance?
You are, as the data controller. Even if you hire a clearance company to handle the physical destruction, legal responsibility remains with your organisation. This is why the data processing agreement matters — it establishes your clearance provider's obligations and gives you recourse if something goes wrong. Ensure they provide certificates of destruction for every batch.
What standard should hard drives be wiped to?
HMG IS5 (UK government baseline) or NIST 800-88 are the most widely accepted standards in the UK. For highly sensitive data — medical records, legal files, financial data — physical destruction (degaussing or shredding) provides the highest assurance. Your clearance company should be able to specify which standard they use and provide a certificate confirming it was followed.
How long should I keep data destruction certificates?
Waste transfer notes must be kept for a minimum of 2 years by law. Data destruction certificates should be kept for at least 6 years as evidence of GDPR compliance — this aligns with the limitation period for civil claims. Store them digitally with your compliance documentation so they're easily accessible if you need to demonstrate accountability to the ICO or in the event of a legal dispute.
Need GDPR-compliant office clearance?
We provide certified data destruction, waste transfer notes, and full audit trails on every job. Your data stays protected from collection to certificate.