Giulio Ricci at The ITAD Works
On 14th April 2016 the European Parliament approved the details of the General Data Protection Regulation (GDPR). The new rules are designed to protect consumer rights as well as clarifying laws for businesses right across the European Union (EU) and those that trade with it, with regards to personal data. However, as with all new legislation the onus is on companies to ensure they fully adhere to the changes to law.
Inside or outside the EU
Whilst the new legislation does not come into force until July 2018, now is the time to be preparing for the new rules, even though the UK referendum concluded that the UK should leave the EU. You might be thinking that the Brexit could make this new legislation null and void, but all indications are that the UK will be looking to toe the line on the rules, to ensure easy and compatible business and trading rules with the EU going forward. In fact, organisations outside the EU are still subject to the jurisdiction of the EU regulators just by collecting data concerning an EU citizen.
The GDPR covers data held on EU citizens (including the UK until it has left) and the EU will undoubtedly continue to be a highly important territory for trade moving forward. In actual fact, if a company has a substantial number of complaints lodged against it even before that date, it could be liable for a significant fine from the Information Commissioner’s Office (ICO), not to mention the reputational fallout and potential bad press.
The July 2018 deadline is one which needs to be the focus of any business that uses data, which inevitably is all modern businesses.
What is the GDPR?
The GDPR was created to regulate the progression of personal data and is part of the EU privacy and human rights law. It is designed to harmonise the current data protection laws in place across member states and as it is a regulation rather than a directive, it will be directly applicable to all EU member states without the need for national implementing legislation.
A key part of the GDPR’s remit is protecting personal data. This is defined as any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Interestingly, there is no distinction between personal data about individuals in their private, public or work roles
The legislation will bring in a large number of changes and organisations will need to consider it carefully and make sure they are compliant. Issues which are attracting particular focus include consent, increased administrative requirements and the need to provide a full audit trail, data exports and the new obligations on data processors.
Preparing for GDPR
In many ways preparing for the new GDPR involves using common sense. We all know that sensitive data has never been easier to obtain or disseminate electronically, while the risks to it have never been greater. A responsible organisation will need to recognise the risks and ensure steps are taken to prevent and mitigate any potential problems.
At the heart of much of this is the effective management of your IT lifecycle. It’s all well and good managing privacy protection on your current systems, but what happens when they become older or obsolete? Can you be sure this data is still as well protected on disused or scrapped systems?
The ICO’s website keeps a list of prosecutions it has made and it makes for fascinating (if not shocking) reading just what a wide variety of breaches it deals with. Naturally the fines vary by the type of offence committed and the status of the organisation (or indeed individuals) responsible for them.
The levels of fines or punishment can vary greatly too. Whilst a public body or healthcare trusts may receive a set fine, banks and financial organisations can face a fine of 4% of turnover – which could potentially be very expensive and damaging indeed. This doesn’t even begin to assess the damage to reputation or the organisation’s public image.
Undoubtedly, it makes more sense (both practically and financially) to avoid the penalties in the first place. Ensuring your IT lifestyle is well managed is a key part of ensuring the data entrusted to you is protected at all stages.
Avoiding risk through a professionally managed IT lifecycle
It’s fair to say the days of simply putting old IT equipment in a skip are long behind us. This is partly down to environmental legislation such as WEEE (Waste Electrical and Electronic Equipment recycling), but the safe disposal of data is equally important.
There are a number of companies that will now offer to recycle electrical and IT equipment for free, in return for any value recouped from your old items. But beware! It makes more sense to use a recycler such as The ITAD Works that will not only return this value to you, but equally ensure any residual data on these items is destroyed to maintain full compliance with GDPR regulations.
The scope of IT assets that needs to be managed is also important to consider. Data can be stored on a wide variety and number of different devices in a modern organisation. These range from the traditional servers and PCs but now also include tablets, smartphones, USB sticks, portable hard drives and potentially any device which connects to cloud storage. This can often include employee’s personal devices if they access systems from home or remotely. This makes it very important to think about access to data and perhaps, where possible, limit this beyond the systems owned by the business itself (and therefore under its direct control).
A well-designed IT lifecycle will look at all the potential problem areas and ensure policy and protection is in place throughout. This will range from the initial implementation of systems, through to the way data is copied and manged and onto later dispersal of older systems around the organisation, through to safe storage of unused items and the eventual safe destruction and full and data erasure stage.
An expert IT lifecycle service such as that offered by The ITAD Works will ensure your systems comply to regulation (existing and progressive) today and tomorrow.
The next steps
If you haven’t done so already, make sure your organisation is fully up to speed with the legislation within the GDPR – a full version is available here. Make sure your internal processes provide protection to data and can also demonstrate this to satisfy any inspection of it.
When it comes to securing your IT systems, speak to a reputable ADISA registered asset disposal expert such as The ITAD Works to get full advice on your IT lifecycle. This will ensure you have a robust solution which will limit your risk of data leakage and the potential consequences from it.
With strict quality controlled processes, this will ensure your data is fully contained and hardware is safely and efficiently disposed of – with compliance in terms of GDPR approved data protection and environmental legislation firmly at the forefront of this.
For more information on how The ITAD Works can help your business meet the new GDPR regulations please contact us Tel: +44 (0)1483 201240 or visit www.theitadworks.com.