The implications of Waste Hierarchy guidelines for SMEs.

This article was written by Robert Guice, Executive Vice President, EMEA of Shred-it, a world-leading document destruction company that ensures the security and integrity of their customers’ private information. The company provides a tailored document destruction service that allows businesses to comply with legislation and ensure that the client, employee and confidential business information is kept secure at all times.





Waste Hierarchy Regulations

A key responsibility for any business is to safeguard the personal information that it collects of its employees, clients or customers as part of its operations. Businesses are also required to implement waste management systems by recent Waste Hierarchy regulations put in force by the Department for Environment, Food and Rural Affairs (Defra) which came into force last month.

The rules state that if your business produces or handles waste, which is frankly most of us, you must take measures to both prevent waste and apply the waste hierarchy when you transfer waste.

Article 4 of the revised EU Waste Framework Directive (Directive 2008/98/EC) which has been transposed to UK Law through the Waste Regulations 2011 sets out five steps for dealing with waste, ranked according to environmental impact. The current steps have been revised to:





  • Prevention
  • Minimisation
  • Reuse
  • Recycling
  • Energy recovery
  • Disposal


Secure disposal

Most businesses have a desire to be green and so recycle paper – one of the easiest and most common environmental practices. However, they tend to neglect the final stage of the waste hierarchy – secure disposal. Not all businesses realise they also have to think about the security of the documents they have put into the recycling and waste bins. Failing to do so could lead to substantial fines and extensive damage to corporate reputation.

It's important that businesses reduce their organisations’ negative environmental impact at the same time as protecting their reputation and bottom line. If your company uses a third-party to process confidential waste, you should ensure that third-party recycles all the waste. This allows you to recycle and destroy confidential information at the same time, without implementing two separate control systems.

Confidential documents are often left in non-secure locations such as recycling bins or waste paper baskets in offices. This has always presented a risk as these documents could potentially be picked up by anyone at any time, including being stolen whilst awaiting collection for example.

Documents left in recycling bins for pick up by local authorities and waste contractors can also leave businesses and their customers at risk of security breaches and identity theft. The public are frequently made aware of news stories where confidential documents have been found on USB sticks in social venues, destroying the reputation of both individuals and businesses.

It is important to remember that without security procedures integrated into paper recycling, even documents that have been ripped and torn may still lead to privacy and security problems at any point in the recycling process. Such documents are vulnerable to being mishandled, lost or stolen.

Compromised information, no matter how small, can in turn lead to criminal prosecution, damaged reputation and loss of customer trust. This can fatal to a business or an individual person’s reputation and image. Everything from a pay slip, sales invoice, supplier tender, strategy paper, operational documentation, budgets, sales and marketing planning, staff appraisals and medical records has value to someone because it contains sensitive or confidential information about your organisation, employees or customers.

Consequences of poor data security

Businesses can be fined up to £500,000 for serious breaches of the Data Protection Act, by the Information Commissioner’s Office, and could even face a criminal prosecution. Despite this, secure information management is an area which is still undervalued and disregarded by many SMEs. Indeed, a recent survey by IPSOS for Shred-it found that half of small firms in the UK still believe that the loss or theft of data from their organisation would have no impact on their business

Businesses face damage to their reputation and brand which most organisations spend years building. Along with negative press coverage and the loss of customer and investor confidence, a company still faces legal fees on top of any fines and research shows that firms can pay up to £250,000 – according to the Department for Business, Enterprise and Regulatory Reform 2008 - when the data breach becomes known externally.

Sound information management therefore goes beyond best practice and compliance (although these are still important drivers). Integral to business sustainability is the protection of reputation and brand by guarding against identity theft, fraud and improper disposal of information.

The powers of the ICO should act as a clear warning to UK businesses that ignoring the confidentiality of personal data is a very serious issue. However it is the potentially crippling damage to a companies’ reputation which should worry small business leaders up and down the country. Get information security wrong and it can take a lot of time, effort and money to restore confidence from clients or consumers.


Recycling and shredding responsibly can therefore not only save a company’s reputation and money in the long run but also protect a company and their customers from expensive consequences which can arise from information security breaches.

The SME sector is already hurting in the recession and keeping costs down is a constant concern. However, there does not need to be a trade-off between keeping information safe and maintaining a reputation for being an environmentally conscious and corporately responsible company. It is perfectly possible to have peace of mind over the destruction of confidential data, to maintain a green reputation and save money at the same time. Enlisting a provider that can implement both processes will protect a company and keeps costs down.