IAITAM ACE Highlights: Best Answers to all Your GDPR Questions

IAITAM ACE 2018 kicked off with a keynote from speaker Andrew Adams encouraging us all to be ‘the best’, not just great; and to look past what seems to be true and find ‘the truth’. Inspiring words which set us up well for two and a half days of IT asset management seminars. Early on day one, Michael Espada, international business development manager with Sims Recycling Solutions, took the stage in the Compliance Track to offer advice on making sure your IT asset disposition (ITAD) program is ready for the new General Data Protection Regulation (GDPR).

Michael encouraged his audience to “look for a standardized global approach across all of your legal entities,” urging attendees to remember that “GDPR should be part of your language when you do your due diligence”.

A lively question-and-answer session followed Michael’s presentation. Here are a few of the highlights.

For a business that has a long-standing agreement with an ITAD provider, what should they do to get ready for GDPR?

When it comes to contract renewal, the business should build GDPR language into their master service agreement (MSA). Their ITAD provider will be acting as a data processor under GDPR, and it is a requirement to reflect this in the contract. They should also look for evidence that their ITAD provider is taking GDPR seriously and implementing it into their organization – have you received a request from them to opt-in for marketing communications? Have they discussed the implications of GDPR with you? Are they aware of the implications of the new legislation?

What does GDPR mean for secure transport? Does it specify the security requirements for moving data?

GDPR requires that data controllers and data processors have taken reasonable steps to secure data at all stages. It doesn’t specify exact requirements. For clients, it is important to ensure that you have built security requirements into your ITAD audits and due diligence processes. Ask your provider if they can demonstrate their levels of security in their logistics movements that are appropriate to the equipment and data types? Also look for suppliers who effectively balance compliance and data security with sustainability and value recovery. Secure logistics should not come at the expense of cost effective and optimized equipment movements.

Is there a specific method of data destruction required within GDPR? Does it detail whether purging or cleansing is preferred?

GDPR specifies only for businesses to take reasonable steps to protect personally identifiable data. The method of destruction is not detailed. There are pros and cons to all three methods of destruction and your ITAD provider should be able to consult with you to recommend the most suitable approach depending on;

The nature of your IT equipment,
The data held on your IT equipment,
The regulatory requirements you are subject to,
The location of your IT equipment, and
How much equipment you have.

Are there any restrictions on how long data can be ‘at rest’, i.e. stored or held?

There are no specific requirements but SRS recommends to avoid storing any data you no longer need. When data-bearing equipment sits in storage, risk is accumulated due to volume and reduced oversight which increases its threat of data theft or unintentional release of information. There are so many stories of employees innocently donating older computers, storing their company’s financial information, to programs or schools in need of supplies. While this is usually carried out with good intentions, this puts companies at risk and is something that can be easily avoided with a robust disposal process with a contracted ITAD provider.

Does GDPR affect trans-boundary movements?

GDPR does not change the European legislation surrounding the shipment of e-waste. However, you should be mindful of the added risk when using multiple ITAD vendors to transport data and waste. To improve your chances of compliance, value recovery, data security and sustainability, look for a leading provider with multiple sites across the world, well-managed downstream vendors and globally standardized policies and procedures.