IT asset disposition: A necessary part of GDPR compliance

Blogs and Articles

Corporations who handle EU citizen data are in a frenzy to meet the GDPR's compliance deadline, but are they missing a critical piece at the end of the data life cycle? Learn how IT asset disposition is a necessary part of GDPR compliance.

9 April 20177 mins
People in a discussion

Many organizations that keep or process personal data of EU citizens are hard at work trying to reach the May, 2018 compliance deadline for the EU's General Data Protection Regulation (GDPR). Yet, despite these efforts, a large number of organizations remain far from ready. Many also remain unaware of the need for GDPR compliance at the far side of their asset life cycle: namely, the point of IT asset disposition (ITAD).

Proving GDPR compliance with a formal ITAD policy is important, but often overlooked. Fortunately, good advice can make it easier to develop an ITAD policy.

The GDPR, ITAD and a Continued Risk of Data Breach

Legal advisers, such as those in Lexology, talk about the GDPR's expanding roles of Data Controller (DC) and Data Processor (DP). For IT asset disposition, the use of outsourced ITAD vendors now falls under the GDPR requirements for Data Processors (as well as any third-party sub-processors they may use).

A related area that remains top-of-mind for most CIO's, according to Brooks Hoffman, Principal of Data Management at Iron Mountain, is avoiding a potential data breach of EU citizens' personal data.

"The ITAD business is still a little bit of the Wild West. There are some companies out there that don't do everything the right way. It's easy to cut corners. If you do," he warns, "it could come back to bite you. It could even result in a data breach."

Into the Breach: Clearly Spelling Out ITAD Safeguards

For ITAD, such personal EU citizen data might reside on one or more end-of-life PCs, laptops, servers or hard drives. Here, it's imperative to have both a formal ITAD policy spelled out by the Data Controller as well as a formal contract between the Data Controller and any ITAD vendor or Data Processor.

Such formal policy and contract documents should describe how personal data will be identified and how such data will be securely removed on end-of-life IT assets now earmarked for recycling or remarketing. Appropriate roles and chain-of-custody procedures for the asset disposition process should also be clearly spelled out.

Also needing to be formally defined with the Data Controller and Data Processor are any data-breach notification procedures to be followed. Data Processor plans to prevent such a breach should be formally documented in writing, as well as any post-breach processes and financial commitment of the DP to remediation.

"If you plan to use an outside ITAD partner, it's one thing for them to say, 'We will perform data breach notification within 72 hours and set up all credit monitoring in the aftermath of a breach,'" says Hoffman. "But, you also need to make sure that the vendor financially handle any specific breach notification and follow-up requirements."

Here, he says, it pays to make sure that the ITAD vendor is well-capitalized, reputable, and industry certified by an accredited third-party. In case of a potential data breach, Hoffman says, look especially for vendors with sufficient coverage in the areas of Errors and Omissions insurance or Cyber liability.

There are also other desirable characteristics to look for when evaluating ITAD vendors and defining ITAD policy. This reference article covers some of them. Interestingly enough, a Data Processor Questionnaire developed in the Channel Islands may help spark more policy areas for evaluating vendors or formalizing ITAD policy and contract documents according to the GDPR.

Why Formalize Your ITAD Policy?

It's good business to formalize best practices and policies surrounding the proper storage, management, and disposition of citizens' data. Yet, it's also true that the stiff potential penalties of GDPR non-compliance now make formalizing this good practice more of a 'stick' (to force compliance) versus a 'carrot' incentive.

"The GDPR is really an evolution in the global trend toward data privacy. What makes it a game-changer is that it gives individuals very powerful rights to opt-out of having their data tracked and stored by companies. That raises the stakes and the fines for non-compliance are astronomical," says Hoffman. "This makes it more important than ever to have a formalized, over-arching ITAD policy - especially in larger companies where each office might otherwise do things a little differently. If 75% of the organization does ITAD the right way, it means that 25% is doing things the wrong way. That's a problem."

 

Related resources

View More Resources
Premium
Blogs and Articles

Protection of Personal Information Act (POPI Act) and Records Management

This guide will answer your frequently asked questions (FAQ’s) about the impact the Protection of Personal Information Act (POPIA) is going to have on your business of records management.
21 November 2024
Blogs and Articles

Backup solutions – Choosing between cloud and magnetic tape

With the advent of technology, one is able to produce and curate inordinate amounts of data, crucial to day-to-day work, like never before. It’s no longer a question of whether or not to back up data, but more about finding the best way to do it. Cloud backup has seen a rise in popularity in recent years, but tape backup solutions are certainly not dead.
16 October 2024
Blogs and Articles

Cost effective offsite media storage for your business

Correct offsite media storage can help you manage your company’s tasks more effectively and efficiently. It ensures that you can always find what you need, on time and without anything slipping through the cracks, and most importantly, it is crucial for monitoring and maintaining your business’s security.
16 October 2024
View More Resources