Why the standard changed, and why it matters

In 2009, the world looked very different. Windows 7 was being rolled out across offices as the next long-term operating system. A fresh-faced Joe Biden was sworn in as Vice President alongside Barack Obama, signalling (what was hoped) a generational shift in global politics. Apple launched the iPhone 3GS, impressive for its time but still far from reshaping how most businesses worked day to day.

Offices revolved around filing cabinets, shared drives, and on-site servers. Paper records dominated, remote working was rare, and social media was personal rather than professional. Crucially, GDPR was still almost ten years away. Few organisations expected to be asked to evidence, in detail, how confidential information was handled once it left the building.

It was in that world that BS15713:2009, the British Standard for the secure destruction of confidential material, was introduced. The challenges it addressed were real, but they belonged to that moment in history.

That raises a simple question.
What happens when a standard designed for that world is still being relied upon today?

Not because it was wrong, but because the risks it was built to manage have changed. Information no longer sits quietly in cupboards until it is shredded. It moves between systems, locations, devices, and suppliers. Regulatory scrutiny has sharpened, expectations of evidence have increased, and responsibility no longer ends when a box leaves the office.

That is the context in which BS15713:2023 was introduced.

The updated standard does not replace its predecessor. It builds on it, reflecting a world in which reassurance alone is no longer sufficient. Organisations are now expected to demonstrate control, traceability, and accountability from collection through to destruction.

Understanding the difference between the two versions is not about technical compliance. It is about understanding which world your provider is operating in.

The quiet escalation of risk

In 2009, the consequences of getting data protection wrong were limited.

Under the UK’s Data Protection Act 1998, regulators had relatively weak enforcement powers. Major punitive fines were rare, and penalties were typically modest. Even serious breaches often resulted in fines measured in tens or hundreds of thousands of pounds.

By the mid-2010s, the picture had begun to shift, but only gradually. In 2016, the UK Information Commissioner’s Office fined TalkTalk £400,000 following a significant data breach. At the time, this was widely seen as a substantial penalty.

Then GDPR arrived in 2018, and the landscape changed fundamentally.

Regulators were empowered to impose fines of up to €20 million or 4 percent of global annual turnover, whichever is higher, for serious violations. The theoretical risk became real.

By 2023 and 2024, penalties had reached levels that would have been unthinkable in 2009. Meta was fined €1.2 billion under GDPR. Amazon received a penalty of €746 million.

The trend is clear. Enforcement has moved from symbolic to structural.

In that context, the question is no longer whether confidential information is destroyed, but whether an organisation could evidence, with confidence, how it was handled at every stage if challenged.

Standards written for a low-enforcement era inevitably look different from those designed for a world where scrutiny is assumed.

What BS15713:2009 required

BS15713:2009 was designed to ensure that confidential paper records were destroyed securely once they left an organisation’s direct control.

It focused on establishing baseline confidence in the destruction process.

At its core, it required:

• Secure handling of confidential material once received by the destruction provider
• Controlled transport, storage, and access prior to destruction
• Defined destruction methods appropriate to the sensitivity of the material
• Clear responsibility for confidentiality while material was in the provider’s care
• Issuing a Certificate of Destruction confirming that material had been destroyed

The emphasis was on process presence rather than process visibility. If a provider had suitable premises, equipment, trained staff, and documented procedures, destruction was assumed to be carried out correctly.

For a paper-dominated, trust-based environment, this approach was proportionate.

What BS15713:2023 requires

BS15713:2023 reflects a different understanding of information risk and accountability. It assumes that organisations may need to demonstrate, not just assert, that confidential material was handled and destroyed correctly.

The updated standard places greater emphasis on evidence, traceability, and audit readiness.

It requires:

• A documented and auditable chain of custody from collection through to destruction
• Identification and traceability of consignments at a more granular level
• Stronger linkage between collection, handling, destruction, and certification
• Records that support verification of destruction, not just confirmation
• Operational procedures that can be evidenced as being followed
• Premises, equipment, and personnel that are demonstrably suitable, controlled, and accountable for handling confidential material
• Readiness for regulatory, client, or third-party scrutiny

Certificates of Destruction are no longer symbolic assurances. They are expected to form part of an evidential record that can withstand investigation, audit, or regulatory enquiry.

Providers are also viewed differently. They are no longer isolated service vendors, but part of a wider information governance chain. Their controls and records must stand up to the same level of scrutiny as the organisations they support.

In short, BS15713:2023 assumes that trust alone is insufficient. Control must be demonstrable, and assurance must be supported by evidence.

Why this matters now

In practice, many providers no longer specify a year when referencing BS15713. They simply state that they are “BS15713 compliant”.

On the surface, that sounds reassuring. But it avoids an important distinction.

BS15713:2009 and BS15713:2023 are not interchangeable. One has been superseded. The other reflects current expectations of evidence, traceability, and accountability.

Providers that have transitioned to BS15713:2023 tend to say so clearly. They reference the year and are usually willing to explain what it means in practice. Those that have not often rely on the assumption that few customers will ask the follow-up question.

The issue is not intent. It is transparency.

If a provider does not specify which version of the standard they follow, the responsibility for understanding that gap shifts quietly back to the customer.

The question then becomes a simple one:

Are you being offered compliance with the current standard, or reassurance framed in familiar language?