The GDPR reforms became applicable as of 25th May 2018 and set out additional obligations on data processors such as EOL. This requires technical and organisational changes as well as the introduction of new business processes and privacy controls for our organisation.
Under the GDPR, when a controller uses a processor it needs to have a written contract in place to evidence and govern their working relationship. If you are a controller, this guidance will help you to understand what needs to be included in that contract.
The EOL Guide to the most asked questions.
What is the GDPR?
The GDPR, or General Data Protection Regulation, came into force in May 2018. The regulation, set by European Parliament, intends to strengthen and unify data protection regulations across the EU. Much of what the new regulation legislates for is covered by the UK’s current Data Protection Act, but there are some important elements you need to be aware of when it comes to disposing of your business’ data and IT assets.
Who does it apply to?
The GDPR applies to all “controllers” and “processors”.
What is a Data Controller?
A controller determines the purposes and means of processing personal data.
What is a Data Processor?
A processor is responsible for processing personal data on behalf of a controller.
Why is the GDPR important to ITAD services?
When disposing of end of life assets and data there is the potential risk of suffering a data breach. Under the new regulation, any business that falls victim to a data breach only has 72 hours to report it to the ICO, and if they are found to be in breach of the GDPR guidelines, they could be fined 4% of the business’s annual turnover or €20 million (whichever is greater).
What is a data breach?
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
What does the GDPR say about contracts?
Whenever a controller uses a processor it needs to have a written contract in place.
The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what needs to be included in the contract.
What needs to be included in the contract, at a minimum?
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject
- the obligations and rights of the controller.
- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that people processing the data are subject to a duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller as requested at the end of the contract; and
- the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
When is a contract needed?
Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Similarly, if a processor employs another processor it needs to have a written contract in place.
Why are contracts between controllers and processors important?
Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data
I have never had a contract with an ITAD. Does it have to be exclusive? We do not feel the need to have one?
No, it does not have to have an exclusivity clause.
Often clients state they do not wish to be tied into a contract with a single ITAD provider. This is simply documentation that ensures EOL as a processor and you as a data controller, adhere to this new EU law.
It also demonstrates a responsible data governance plan has been set out and agreed with a recognised ITAD provider.
It also ensures that EOL meet agreed service levels and security requirements for the equipment and data you have to dispose of, providing the framework for excellent data governance, during the disposal of redundant assets.
There is no expectation on the number of items we will process, the number of services you will receive or how often we will visit you.
What are the benefits of us having a contract with you?
- Fixed Pricing
- Agreed Service Levels
- Responsible Framework for Data Governance
- Compliance with the relevant sections of the EU GDPR (with regards to IT Disposal and Data Security)
I don’t want a contract, can I still use ITAD Services?
Yes of course you can. We work tirelessly to ensure that both EOL and our Clients remain compliant.
EOL’s commitment to a truly secure chain of custody and our compliant processes has ensured our accreditations go beyond the normal standards now expected – we ensure we meet AND EXCEED all relevant requirements placed upon us by the GDPR.
As the UK’s most accredited ITAD, EOL remains focussed on enhancing our resources, capabilities and compliance in line with evolving clients’ needs and changing legislative requirements.
Since the GDPR came into play in 2018, businesses are highly aware of the importance of dealing with data appropriately… There comes a point in the life of every business when the time comes to upgrade your IT infrastructure. The… You might presume that disposing of your redundant IT equipment is as simple as wiping sensitive data and removing it…
Chain of Custody: Do you know where your IT Assets are?
Are Your Ageing IT Assets a Data Security Threat?
Managing a Secure IT Asset Disposition Program
Since the GDPR came into play in 2018, businesses are highly aware of the importance of dealing with data appropriately…
There comes a point in the life of every business when the time comes to upgrade your IT infrastructure. The…
You might presume that disposing of your redundant IT equipment is as simple as wiping sensitive data and removing it…