GDPR in 2025: What Businesses Should Know

The UK’s data protection landscape is evolving. Are you confident your organisation is prepared for the latest legal developments?

GDPR and the DUAA: what’s changing?

The General Data Protection Regulation (GDPR) remains a cornerstone of responsible data handling. However, with the Data (Use and Access) Act 2025 (DUAA) receiving Royal Assent on 19 June 2025, phased updates to the UK GDPR and Data Protection Act 2018 are now underway, continuing through to June 2026.

At Shredall SDS Group, our priority is safeguarding data at its end-of-life stage. Let’s explore the current GDPR principles and how the DUAA may prompt operational adjustments for your business.

The seven core principles of GDPR:

UK GDPR sets out seven core principles that are at the heart of processing and handling personal data;

Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

DUAA: streamlining compliance

The DUAA introduces targeted reforms to simplify compliance and support innovation. Key areas include:

A new lawful basis for processing under “recognised legitimate interests” (e.g. crime prevention, safeguarding)
Clarified rules for further data processing and controller changes
Broader consent options for scientific research
A “soft opt-in” for charities under direct marketing rules
Enhanced clarity around subject access requests (SARs), including a “stop the clock” mechanism for complex queries
Where action may be needed

Two areas demand immediate attention:

Children’s Online Services: Organisations must now consider the specific needs of children when processing their data.
Complaint Handling: Businesses must implement a formal process for data protection complaints, including acknowledgement within 30 days and timely resolution.

What does this mean for your business and data disposal?

While the DUAA doesn’t directly alter disposal requirements, it reinforces the need for airtight confidentiality from data creation to destruction. This includes:

HR records
Financial documents
Customer communications
Marketing opt-ins
Call recordings
Banking details

The right to erasure remains a critical obligation. Ensuring secure disposal is not optional—it’s a compliance necessity.

Why accreditations matter in data protection

At Shredall SDS Group, our commitment to secure data management is backed by industry-leading accreditations that demonstrate our compliance, reliability, and professionalism. In a regulatory environment shaped by GDPR and the DUAA, these certifications are more than just badges—they’re essential indicators of trust, environmental responsibility and operational excellence.

Our accreditations include:

ISO 27001 – The international standard for information security management systems. This ensures we follow rigorous protocols to protect the confidentiality, integrity, and availability of your data.
BS EN 15713 – The British Standard for secure destruction of confidential material. It governs everything from collection and transportation to shredding and recycling, guaranteeing a secure chain of custody.
Cyber Essentials – A government-backed certification that confirms our protection against common cyber threats, reinforcing our digital security posture.
ISO 9001 – Quality Management
ISO 14001 – Environmental Management
ISO 45001 – Occupational Health & Safety Management
PAS 2060 – Carbon Neutrality Certification
SafeContractor – Health and safety compliance
PCI DSS – Secure handling of payment card data

These accreditations are not optional in today’s data-driven world—they’re vital. They provide assurance that your sensitive information is handled with the highest level of care, from the moment it enters your systems to its final destruction.

Why this matters to your business

Regulatory Compliance: Demonstrating that your data disposal partner meets recognised standards helps you fulfil your legal obligations under GDPR and the DUAA.
Risk Mitigation: Accredited processes reduce the risk of data breaches, fines, and reputational damage.
Customer Trust: Clients and stakeholders are increasingly aware of data protection. Working with an accredited provider signals your commitment to safeguarding their information.
Audit Readiness: Our documented procedures and certifications support your internal and external audits, making compliance reporting smoother and more robust.

Secure disposal: avoiding risk

Data breaches aren’t limited to cyberattacks. Paper-based and digital records are vulnerable if not properly managed. Poor disposal practices can lead to fines from the ICO and reputational damage.

Best practices for secure data disposal

Review your retention and disposal policy
Appoint or train a Data Protection Officer
Use lockable containers for sensitive waste
Avoid in-house shredders—these pose security risks
Partner with a certified shredding provider like Shredall SDS Group
Our services include:
On-site shredding Witness your data destroyed in our mobile shredding lorries, offering complete transparency and peace of mind.
Off-site shredding Scheduled collections to our secure destruction depots, where your data is processed swiftly and securely.

All services are backed by our industry accreditations, 0% to landfill commitment, and Platinum-rated customer service. Our expert teams understand the implications of the DUAA and are ready to support your compliance journey.