In today’s increasingly digital world, computers are indispensable to most companies. Not only do they allow employees to do their jobs, computers are also used to store sensitive data about the company, its employees and its clients. This means that when your company needs to dispose of their computers, either because of a malfunction, or a company upgrade, they must ensure that they do so securely. Currently, failure to do this could put you at risk of breaching the Data Protection Act 1998, which could have severe financial, legal and reputational consequences – and post May 2018 the GDPR (General Data Protection Regulation) which will replace the UK’s Data Protection Act, now that the UK government has confirmed the decision to leave the EU, will not change the adoption of this new regulation.
So how do you dispose of a company computer securely? We take a look, in this week’s blog.
Determine How Devices Will Be Identified For Disposal
It is important to determine an IT disposal policy for all company devices and categorise each device according to the type of data it stores. This policy should be updated each time a new device is introduced into the company, and it is vital that employees are aware of how this policy works. Determine what qualifies a computer to be suitable for resale, reuse by another employee, recycling of parts, or complete disposal. Whether you are reselling your computer to a third-party or assigning it to another employee, you should consider (and keep a record) of who the next owner or user is. Remember that even if you are disposing of a computer because it is broken, the data on the computer may still be recoverable and you will need to ensure this is effectively destroyed.
Before You Dispose – Determine Which Devices Contain Sensitive Data
Sensitive data could refer to information about the employee using it, clients and about the company itself. However, it is important to consider that it might not just be computers that store this data. Other devices, such as printers, fax machines, USB storage and other backup storage devices may store it too. These devices should not be overlooked when disposing of company IT equipment, and should be included on your company’s IT disposal policy. For some devices, physical disposal may be the only way to effectively destroy the data, whereas data erasure may suffice for others. It is up to you to decide what it most appropriate, depending on the type of data stored, and the potential consequences should it fall into the wrong hands.
Selecting An IT Asset Disposal Company
Though you can dispose of data on company computers yourself, using an accredited IT Asset Disposal (ITAD) company is advisable – especially if the company will no longer have control over the device being disposed of. When choosing an ITAD company you should ascertain whether the company is compliant with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE). If possible, you should consider conducting a site assessment and audit of your chosen company. You should continue with regular audits to check for compliance during the totality of your business relationship.
Once you have selected your ITAD company, you must draw up a contract with them, in which they guarantee that they will dispose of data correctly and effectively. The contract also means that both parties are aware of their obligations in the data disposal process and should include: specific instructions on what action should be taken; an approved specification for IT asset disposal which is in line with your company IT disposal policy and details of any downstream partners involved in the service (if applicable).
You should also provide a complete inventory of all company IT equipment that is to be disposed of and keep a record of this before giving devices to your disposal company.
Risk Assessment of the Disposal Process
Before a device leaves your company, it is important that you have clearly detailed the management of the chain of custody in your security policy. This means that you know who is responsible for disposal at which stages – whether that is someone within the company, or in the ITAD company you have chosen.
You must be certain that your chosen ITAD company will handle your data at the same standard that you would yourself. Currently according to the DPA, you remain responsible for your data even after it has been entrusted to a third party data processor. This means that if they do not effectively eradicate all of the data on your devices, you would still be responsible for a potential data breach. Post GDPR adoption both Data Controller and Data Processor become jointly liable for data breaches.
Even if you don’t deal with data disposal in-house, it is important that your company has someone responsible for ITAD. This individual should establish the IT policies, which should be regularly updated. This individual should also be aware of which devices are leaving the company and when, where they are going and the type of data that is on each of these devices – thus defining how they should be handled.
If you have any further questions about how to dispose of a company computer securely, please do not hesitate to get in touch with EOL IT Services, the UK’s most accredited IT Asset Disposal Company. Contact us today on 0845 600 4696 or visit https://www.eolitservices.co.uk/services/it-asset-disposal/ to find out how we can help you dispose of your data safely and reliably.
For more information and guidance from the ICO regarding IT Asset Disposal, visit https://ico.org.uk/media/for-organisations/documents/1570/it_asset_disposal_for_organisations.pdf