What Documents Need Shredding? A Complete Checklist for 2026

Knowing what documents need shredding isn't just about tidying your filing cabinet — it's a legal requirement under GDPR and the Data Protection Act 2018. With 40% of data breaches involving paper documents and ICO fines reaching record levels in 2025, getting document disposal wrong can cost your business thousands in penalties and reputational damage.

This comprehensive guide explains exactly which documents require secure destruction, how long you need to keep them first, and the proper way to dispose of confidential waste once retention periods expire.

Why Proper Document Shredding Matters

Under GDPR Article 5, organisations have a legal duty to keep personal data secure throughout its lifecycle — including destruction. Simply throwing documents in the bin or household recycling exposes you to three major risks:

Data breaches: Confidential information falling into the wrong hands
ICO enforcement action: Fines up to £17.5 million or 4% of global turnover
Reputational damage: Loss of customer trust and business relationships

The Information Commissioner's Office has been clear: businesses must use a BS EN 15713-compliant shredding service with DIN 66399 P-4 security level or higher for documents containing personal or sensitive information.

Business Documents That Need Shredding

Financial Records

After your required retention period (typically 6 years for most business records under HMRC rules), these financial documents require secure destruction:

Bank statements and cancelled cheques
Invoice copies and purchase orders
Payroll records and wage slips
Expense claims and receipts
VAT returns and supporting documents
Annual accounts and audit papers
Credit card statements and payment records

These documents contain commercially sensitive information and, in many cases, personal data about employees, customers or suppliers. Our business shredding service handles all financial waste with full confidentiality.

Employee and HR Documents

Employee records contain highly sensitive personal data protected under GDPR. What documents need shredding once employment ends or retention periods expire?

Job applications and CVs from unsuccessful candidates (6 months after recruitment ends)
Employee contracts and amendments
Performance reviews and disciplinary records
Sickness records and medical certificates
Training records and qualifications
Timesheets and holiday records
References and background checks
Redundancy and termination paperwork

Most employment records must be retained for at least 6 years after employment ends, though some (like accident records) require 3-7 years depending on circumstances.

Customer and Client Data

Any document containing customer information falls under your GDPR obligations:

Customer contracts and agreements
Order forms and delivery notes
Marketing opt-in forms and preference records
Customer correspondence and complaints
Credit applications and payment histories
Customer account records

Once you no longer have a legitimate business reason to retain these records, they must be securely destroyed. This is your "duty of care" under data protection law.

Legal and Compliance Documents

Even after cases close or matters conclude, legal documents require secure destruction:

Signed contracts and agreements (after 6-12 years)
Insurance policies and claims documentation
Legal correspondence and advice
Regulatory inspection reports
Health and safety records (after required retention)
Accident and incident reports

Many law firms and accountancy practices use our on-site shredding service to maintain client confidentiality while meeting their own data protection obligations.

Personal Documents That Need Shredding

It's not just businesses that need to worry about what documents need shredding. Households handle significant amounts of confidential waste, and identity theft affects thousands of UK residents each year.

Financial and Banking Documents

Personal financial records you should shred include:

Old bank statements (keep current year plus 6 years for tax purposes)
Cancelled cheques and paying-in slips
Credit and debit card statements
Loan and mortgage documents (after loan repaid and 6 years passed)
Investment statements and portfolio reports
Pension statements (keep most recent)
Tax returns and supporting documents (after 6 years)

Personal Identification Documents

Never throw these in the bin — they're gold dust for identity thieves:

Expired passports and driving licences
Old NHS cards and medical cards
Utility bills (after 1 year unless needed for tax)
Council tax bills (after 1 year)
Insurance documents (after policy expires plus 3 years)
Vehicle documents and expired MOT certificates

Our domestic shredding service collects confidential waste from homes across Somerset, Dorset, Devon and Wiltshire, or you can use our drop-in facility in Yeovil to watch your documents being destroyed.

Medical and Health Records

Medical information is "special category" personal data under GDPR, requiring extra protection:

Prescription records and medication lists
Appointment letters and test results
Medical insurance claims
Private healthcare correspondence
Mental health records

While the NHS retains your main medical records, any personal copies you hold at home should be shredded once they're no longer needed.

How Long Should You Keep Documents Before Shredding?

The question of what documents need shredding is closely tied to how long you must keep them first. UK retention periods vary by document type:

Tax and accounting: 6 years from end of financial year (HMRC requirement)

Employment records: 6 years after employment ends (3 years for some records)

Contracts: 6 years after contract ends (or 12 years for deeds)

Accident records: 3 years for adults, until age 21 for children

Health records: 8 years for adults, until age 25 for children

For a comprehensive breakdown, see our guide on how long to keep business records in the UK.

What Shredding Method Should You Use?

Not all shredding is equal. GDPR and BS EN 15713 (the UK standard for secure destruction) specify minimum security requirements:

Cross-cut shredding: Cuts paper into small particles (typically 4x40mm or smaller). This is the minimum acceptable standard for confidential waste.

DIN 66399 Security Levels: German standard adopted across Europe. P-4 is standard for confidential business documents, P-5 for highly sensitive data, P-6 and P-7 for top-secret material.

Destruction certificates: Professional shredding companies must provide a certificate of destruction as proof of GDPR compliance. This is your audit trail if the ICO investigates.

Office shredders are fine for non-confidential waste, but any document containing personal data or commercially sensitive information should be handled by a BS EN 15713-compliant provider like Cross Cut Shredding.

Documents That Don't Need Shredding (But Should Be Recycled Properly)

Not everything needs shredding. Documents without personal data, names, addresses, financial information or commercial sensitivity can go in normal recycling:

Marketing materials and brochures
General business correspondence
Meeting agendas (without attendee names)
Training materials and manuals
Company newsletters (internal publications with names should be shredded)

When in doubt, shred it. The cost of secure disposal is far less than the cost of a data breach.

Common Shredding Mistakes to Avoid

Even businesses with good intentions make these errors:

Waiting too long: Don't let confidential waste pile up. Regular shredding reduces risk and storage costs.

Mixing shredding with recycling: Confidential documents must be kept separate and secure until destruction.

Using inadequate shredders: Office strip-cut shredders don't meet GDPR requirements for personal data.

Forgetting digital copies: Electronic documents on old hard drives also need secure destruction — see our GDPR document destruction guide for full compliance requirements.

No destruction certificates: Without proof of destruction, you can't demonstrate GDPR compliance in an audit.

Get Professional Document Shredding in the South West

Now you know what documents need shredding, the next step is choosing a secure, compliant destruction method. Cross Cut Shredding provides BS EN 15713-certified document destruction across Somerset, Dorset, Devon and Wiltshire, with:

DIN 66399 P-4+ cross-cut shredding
Destruction certificates for every collection
On-site and off-site shredding options
Drop-in facility in Yeovil (watch your documents destroyed)
Business and domestic collection services

With 5.0 stars from 127+ Google reviews and transparent pricing starting from just £25, we make GDPR compliance straightforward and affordable. If you're wondering about how to dispose of confidential documents securely, or want to understand document shredding service costs before making a decision, we're here to help.