The European Union’s (EU) General Data Protection Regulation (GDPR) profoundly impacts the data security practices of organizations that handle, store or process the personal data of EU citizens. In effect since May 2018, the GDPR strengthens data protection rights for EU citizens and clarifies regulatory guidelines for international businesses.
European Union’s (EU) General Data Protection Regulation (GDPR)
With the goal of strengthening the data protection rights of EU citizens, the GDPR also aims to clarify regulatory guidelines for international business. Still, the law is complex and many organizations worldwide see complying with it as a challenge. But the idea at the core of the GDPR that “everyone has the right to protection of personal data concerning him or her” is one that has always been central to the ITAD industry’s best practice.
These regulations are directed at companies with an establishment in the EU. However these regulations still apply to establishments outside Europe if they,
Offer products and services in Europe,
Process personal data from Europe, or
Monitor the behavior of people in Europe.
Out of these three categories, the processing of personal data is the least straightforward. The definition of personal data is expanded under these requirements along with strengthened rights of individuals. The GDPR defines personal data as any form of identifiable information. This could include basic details such as name, email or phone number and could also represent other additional elements such as location, gender, age and IP address. Even if you have data that isn’t directly linked to an identity it may still be considered “personal data” under the GDPR. In addition, sensitive categories, such as health data, require special treatment.
The legal and financial ramifications of the law are profound. Consequences of non-compliance are dire, including fines of up to €20,000,000 ($24,490,600) or 4 percent of global turnover, as well as the risk of class action lawsuits from data breach victims. Violators will also inevitably see disruption to business and damage to their reputation.
Every company, regardless of size, will be required to name a Data Protection Officer (DPO) to oversee compliance with regulations. This person can be an employee or third-party provider with, “expert knowledge of data protection laws and practices” (though Member States have the option to require stricter criteria). The DPO is responsible for training staff and conducting internal audits, as well as notifying the supervisory authorities if and when a data breach does occur. These reports must be made “without undue delay” and within 72 hours of when the breach is discovered, whether it is accidental or the result of negligence. In some instances the DPO will also be required to notify the individuals whose data was compromised.
Since the UK’s vote for “Brexit” in June, 2016, there was a great deal of discussion on how this will impact adoption of the GDPR in the UK. The Government implemented the UK data protection law, UK GDPR, which is similar to the EU regulation. UK GDPR has been in effect since January 01, 2021.
The most concerning risk of non-compliance is the substantial fines. Penalties for breaking the law can be up to four percent of a global enterprise’s annual revenue. Additional risks include,
Obligatory adjustments to reporting ordered by data protection authorities,
Reputational damage, and
Loss of trust with partners and clients.
The risks are significant, which is why so much attention is being given to this new regulation. Your biggest chance of lowering your exposure, even during non-compliance, is to show you have a process in place and are taking preventative measures. In regards to IT asset disposition, you can update (or create) your ITAD policy to incorporate these measures as a way of documenting your process in place.
IT Asset Disposition Partners Prepare for General Data Protection Regulation
The European Union’s (EU) General Data Protection Regulation (GDPR) is understandably a topic of intense discussion and review among IT asset disposition (ITAD) professionals. In effect since May 2018, the regulation applies to all organizations – public and private, anywhere in the world – that handle, store or process the personal data of EU citizens. The broad scope of the GDPR seems daunting, but this changing landscape also holds potential for great opportunity and growth for ITAD providers. Considering the technological requirements and risk involved with data wiping, many companies and agencies will likely outsource that work to a provider with accredited operations already in place. As unnerving as the monetary fines are for big companies, they could be totally crippling to a smaller business. Because the ITAD industry is well-positioned to assure personal data security throughout Europe, we are well-positioned to comply with – and even grow from – the GDPR. To be fully compliant with GDPR, ITAD providers must have in place both technical and organizational measures that ensure the personal data of EU citizens is completely secure. Industry accreditation can provide assurances that personal and corporate data is securely managed. ISO 27001 confirms that a company works within a suitable framework for managing data security risk, regularly reviewing and improving processes. Certifications, such as this one, are therefore useful indicators that an ITAD provider complies with critical elements of GDPR regulations. ITAD providers need to ensure their internal organizational systems are up to the same unassailable standards as their technical ones. These organizational mandates help to mitigate the risk of a data breach and keep ITAD providers compliant with GDPR. Fortunately, some of these measures are fairly straight-forward. ITAD providers will also need to give careful consideration to their cyber liability insurance coverage. Providers should have in place appropriate protection and insurance backed by a professional specialist third party incident and damage limitation support service. This is preferable to relying on potentially protracted traditional contractual redress.
No matter where your business is located you should consider the following regarding your ITAD program:
Conducting a risk assessment on all stored data – Review your current disposition program and determine if there are any potential security gaps.
Documenting the process – Include the ITAD process in your privacy impact assessments.
Auditing your ITAD vendor – Make sure the vendor you are working with has processes in place that will ensure security throughout the disposition process, as well as your compliance with GDPR as it relates to ITAD.
If you have any chance of storing or processing any personal data from a European citizen it is recommended to act now. Managing data stored on retired IT assets is only one part of GDPR and statistics show three out of four companies are unprepared at this time. Awareness is a start, now it’s time to take some action.
Contact Your Business Solution Advisor
Talk to SLS today about how we can support your organization in providing data secure and compliant services.