The European Union’s (EU) General Data Protection Regulation (GDPR) is understandably a topic of intense discussion and review among IT asset disposition (ITAD) professionals. Adopted in April 2016 and scheduled to come into effect in May 2018, the regulation will apply to all organisations – public and private, anywhere in the world – that handle, store or process the personal data of EU citizens.
The legal and financial ramifications of the law will be profound. Consequences of non-compliance are dire, including fines of up to €20,000,000 ($24,490,600) or 4 percent of global turnover, as well as the risk of class action lawsuits from data breach victims. Violators will also inevitably see disruption to business and damage to their reputation.
With the goal of strengthening the data protection rights of EU citizens, the GDPR also aims to clarify regulatory guidelines for international business. Still, the law looks complex and many organizations worldwide see complying with it as a challenge. But the idea at the core of the GDPR that “everyone has the right to protection of personal data concerning him or her” is one that has always been central to the ITAD industry’s best practice.
To be fully compliant with GDPR, ITAD providers must have in place both technical and organizational measures that ensure the personal data of EU citizens is completely secure. Industry accreditations can provide assurances that personal and corporate data is securely managed. ISO 27001 confirms that a company works within a suitable framework for managing data security risk, regularly reviewing and improving processes. Certifications, such as this one, are therefore useful indicators that an ITAD provider complies with critical elements of GDPR regulations.
[bctt tweet=”The broad scope of GDPR seems daunting, but also holds potential for great opportunity & growth for ITAD providers.” via=”no”]
ITAD providers need to ensure their internal organizational systems are up to the same unassailable standards as their technical ones. These organizational mandates will help to further mitigate the risk of a data breach and keep ITAD providers compliant with GDPR. Fortunately, some of these measures are fairly straight-forward.
Every company, regardless of size, will be required to name a Data Protection Officer (DPO) to oversee compliance with regulations. This person can be an employee or third-party provider with, “expert knowledge of data protection laws and practices” (though Member States have the option to require stricter criteria). The DPO will be responsible for training staff and conducting internal audits, as well as notifying the supervisory authorities if and when a data breach does occur. These reports must be made “without undue delay” and within 72 hours of when the breach is discovered, whether it is accidental or the result of negligence. In some instances the DPO will also be required to notify the individuals whose data was compromised.
ITAD providers will also need to give careful consideration to their cyber liability insurance coverage. Providers should have in place appropriate protection and insurance backed by a professional specialist third party incident and damage limitation support service. This is preferable to relying on potentially protracted traditional contractual redress.
The GDPR raises the threshold for obtaining data subject consent. Instead of using “opt-out” consent, individuals must now “opt-in” using “freely given, specific, informed, and unambiguous” actions. For example, customers receiving newsletters or email updates must explicitly agree to be on that distribution list. Pre-ticked boxes left untouched will no longer be considered consent.
Since the UK’s vote for “Brexit” in June, there has also been a great deal of discussion on how this will impact adoption of the GDPR here. Currently, the Government plans to implement the GDPR, as it will come into force before the UK leaves the EU. There are no plans to make changes to the regulation, though that has not been discounted in the long-term.
The broad scope of the GDPR seems daunting, but this changing landscape also holds potential for great opportunity and growth for ITAD providers. Considering the technological requirements and risk involved with data wiping, many companies and agencies will likely outsource that work to a provider with accredited operations already in place. As unnerving as the monetary fines are for big companies, they could be totally crippling to a smaller business. Because the ITAD industry is well-positioned to assure personal data security throughout Europe, we are well-positioned to comply with – and even grow from – the GDPR.
Learn more about the data destruction techniques that can help you be compliant with GDPR.