The GDPR, or General Data Protection Regulation, will come into force in May 2018. The regulation, set by European Parliament, intends to strengthen and unify data protection regulations across the EU. Much of what the new regulation legislates for is covered by the UK’s current Data Protection Act, but there are some important elements you need to be aware of when it comes to disposing of your business’s data and IT assets.
Under the new regulations, any business that falls victim to a data breach only has 72 hours to report it, and if they are found to be in breach of the GDPR guidelines, they could be fined 4% of the business’ annual turnover or €20 million (whichever is greater). Clearly it’s crucial that your business is fully compliant with the GDPR, and in our latest blog we take a look at some of the most important elements you need to be aware of before the regulations come into effect next year.
Controllers and Processors are Responsible
Whereas under the UK’s current Data Protection Act it is simply the data controllers that are responsible for the secure disposal of IT assets, the new GDPR states that data processors will be held responsible too. This means that controllers must appoint an experienced and credible data processor to deal with their ITAD needs and both parties will be accountable to each other during the process.
Contracted Data Disposal and Processing
When employing an ITAD company to dispose of your data and equipment, both parties must sign a contract agreeing that all data processing activities will comply with both the controller’s own specific requirements and the new regulations set out by the General Data Protection Regulation. The contract must detail the duration, purpose and nature of the data processing, as well as the type of data processed, and the rights and responsibilities of the controller during the process, and both parties must act within the agreement set out in this regulation.
Personal Data Must be Traceable From Start to Finish
However and wherever the personal data that your business uses is stored will need to be recorded from the start to the end of its life, regardless of the size or nature of your business. In these records, you must cover what personal data is being stored and what it is used for, as well as proof of consent to use the data. You will also need to prove how the data is being protected and where it goes when you no longer need it. Remember that under the new regulation, personal data covers a plethora of different pieces of data, ranging from names and images to IP addresses and medical information.
Disposal Must Be Fully Auditable
In order to demonstrate complete regulation compliance, you must be able to audit the data trail. Your IT assets for disposal should be collected in a GPS tracked vehicle and stored in secure and licensed facilities that use NCSC (https://www.ncsc.gov.uk/) approved data erasure software or physical destruction methods appropriate for the data bearing media. You should be able to track precisely what data was erased/destroyed and by whom. This helps to ensure complete accountability for data throughout the process.
Not only is GDPR compliance crucial to protect your clients’ data, failure to do so could actually place your entire company at risk. This means that it is more important than ever to protect yourself from a data breach at every stage of the data handling journey – even for end of life data and IT assets.
With over 25 years industry experience, tier1 are proud to be the UK’s most accredited ITAD supplier. We possess the skills, accreditations and experience to handle our clients’ data with the care they deserve, and to dispose of it responsibility and legally.
Contact us today on 0161 777 1000 or visit https://www.tier1.com to find out how we can help you dispose of your data safely and reliably.