The GDPR, or General Data Protection Regulation, will come into force in May 2018. The regulation, set by European Parliament, intends to strengthen and unify data protection regulations across the EU. Much of what the new regulation legislates for is covered by the UK’s current Data Protection Act, but there are some important elements you need to be aware of when it comes to disposing of your business’s data and IT assets.
Under the new regulations, any business that falls victim to a data breach only has 72 hours to report it, and if they are found to be in breach of the GDPR guidelines, they could be fined 4% of the business’ annual turnover or €20 million (whichever is greater). Clearly it’s crucial that your business is fully compliant with the GDPR, and in our latest blog we take a look at some of the most important elements you need to be aware of before the regulations come into effect next year.
Controllers and Processors are Responsible
Whereas under the UK’s current Data Protection Act it is simply the data controllers that are responsible for the secure disposal of IT assets, the new GDPR states that data processors will be held responsible too. This means that controllers must appoint an experienced and credible data processor to deal with their ITAD needs and both parties will be accountable to each other during the process.
Contracted Data Disposal and Processing
When employing an ITAD company to dispose of your data and equipment, both parties must sign a contract agreeing that all data processing activities will comply with both the controller’s own specific requirements and the new regulations set out by the General Data Protection Regulation. The contract must detail the duration, purpose and nature of the data processing, as well as the type of data processed, and the rights and responsibilities of the controller during the process, and both parties must act within the agreement set out in this regulation.
Personal Data Must be Traceable From Start to Finish
However and wherever the personal data that your business uses is stored will need to be recorded from the start to the end of its life, regardless of the size or nature of your business. In these records, you must cover what personal data is being stored and what it is used for, as well as proof of consent to use the data. You will also need to prove how the data is being protected and where it goes when you no longer need it. Remember that under the new regulation, personal data covers a plethora of different pieces of data, ranging from names and images to IP addresses and medical information.
Disposal Must Be Fully Auditable
In order to demonstrate complete regulation compliance, you must be able to audit the data trail. Your IT assets for disposal should be collected in a GPS tracked vehicle and stored in secure and licensed facilities that use NCSC (https://www.ncsc.gov.uk/) approved data erasure software or physical destruction methods appropriate for the data bearing media. You should be able to track precisely what data was erased/destroyed and by whom. This helps to ensure complete accountability for data throughout the process.
Not only is GDPR compliance crucial to protect your clients’ data, failure to do so could actually place your entire company at risk. This means that it is more important than ever to protect yourself from a data breach at every stage of the data handling journey – even for end of life data and IT assets.
To find out more about how EOL IT Services can assist in ensuring you remain GDPR compliant for IT asset disposals contact us today on 0845 600 4696 or alternatively via https://www.eolitservices.co.uk/contact/