Since May 2018 any business which controls or processes the private information of EU citizens must do so in compliance with the GDPR (General Data Protection Regulation). The GDPR legislation was passed in response to the pace of technological change in recent decades, which rendered previous data protection policy redundant. The new regulations ensure that the data of EU citizens is adequately protected, and also hands more control to individuals in terms of how their data is handled.
A crucial but sometimes overlooked element of GDPR compliance is the practice of effective and consistent IT asset disposal. IT asset disposal, or ITAD, deals with the responsible disposal of IT equipment at the end of their lifespan, through recycling, data destruction, data erasure or resale.
IT assets which are used throughout the business world such as laptops, storage devices and servers contain a wealth of sensitive data which must be disposed of correctly to ensure full compliance with the GDPR. In this article, we’ll take a look at what that process looks like, and the steps you can take to ensure compliance to protect the data of your clients and customers.
Data Controllers and Data Processors
One of the most important innovations of the GDPR was to expand the responsibilities of Data Controllers and Data Processors. The GDPR has a significant knock-on effect for IT asset disposal, as it means that outsourced ITAD falls under the category of the Data Processor. In the post-GDPR world, when ITAD is outsourced to a Data Processor there must be a written contract in place to confirm this relationship. Any ITAD operation which is undertaken without a written contract post-GDPR exposes both parties to the risk of non-compliance, particularly in the event of a data breach.
The Importance of an ITAD Policy
In addition to a contract defining the relationship between the Data Controller and the ITAD vendor or Data Processor, it is crucial that, as a Data Controller, you have a formalised ITAD policy. If you are a business who handles the data of EU citizens then you are considered a Data Controller by the GDPR, and if this data is stored on IT equipment such as laptops, servers or storage devices, it is imperative that this policy is readily available and understood by all relevant parties within your organisation.
An ITAD policy should describe in detail how personal data will be handled, and how it will be securely sanitised on IT assets which have reached the end of their lifespan. The different roles of key individuals involved in the controlling and processing of sensitive data should also be defined, as well as information on how the chain-of-custody of end-of-life IT assets will be documented. Finally, you should have a clear data-breach notification procedure in place, which is understood by both the Data Controller and Data Processor, as, under the terms of the GDPR, you are required to report any potential data breach to the ICO within 72 hours.
Choosing the Right ITAD Vendor
As a Data Controller, you can go a long way to ensuring your business is fully compliant with the GDPR in relation to the disposal of your IT assets by defining an ITAD policy and ensuring any relationship with a Data Processor is ratified in the form of a contract. To fully protect your business and the security of your data it is important that the IT asset disposal company you choose to process your business data is capable of carrying out the task to the standard set by the GDPR.
If you choose to partner with an ITAD vendor, it is crucial that they are reputable, well-reviewed and certified in compliance with all relevant industry and government regulations including ISO 14001, the Waste Electrical and Electronic Equipment (WEEE) Directive and the Environmental Protection Act 1990, and of course the GDPR.
In the article below, you will find four important questions to ask your potential ITAD provider
Four Questions to Ask Your ITAD Provider
Ensuring GDPR Compliance
The key takeaway in relation to IT Asset Disposal and GDPR compliance is the importance of formalising any processes and transactions which concern the management of data relating to EU citizens. The GDPR hands great power to individual citizens concerning how their data is managed, and it is crucial that businesses evolve and adapt to ensure they are not left exposed. Of course, the risk of non-compliance with the GDPR is huge, and any data breach which is found to be in breach of the GDPR guidelines could result in a fine of 4% of the business’s annual turnover or €20 million, whichever is greater.
Ensure that the future of your company is protected by formalising your approach to ITAD, and by engaging a reliable and fully-qualified ITAD vendor.
With over 25 years industry experience, tier1 is experienced in ensuring compliance with GDPR in the disposal of IT assets. As the UK’s most accredited ITAD supplier, we possess the skills, accreditations and experience to handle our clients’ data with the care they deserve, and to dispose of it responsibility and legally. Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help resell your redundant IT assets.
