Safekeeping
GDPR isn't just about disposal, it's also about keeping personal data safe and secure. IIRC this applies under the current regulations as well.
It seems to me that HMG has comprehensively failed in its duty of care to do the "safe" part.