Now that you have probably acted upon a plethora of GDPR emails from organisations you had long forgotten about, the dust is finally beginning to settle on what appeared to be a very long lead up to GDPR legislation.
The implementation has started and this ‘new era’ of data compliance is beginning to take shape. However, I want to discuss the safe and secure disposal of data-bearing electronic equipment when the time has come to replace and upgrade your IT infrastructure. Unwanted or redundant equipment is often cited as one of the biggest risks when it comes to potential data breaches.
Namely, how effective has your planning for this ‘changeover’ been? Will it be carried out under contracted terms with a secure and accredited partner? It is vital these points are acted up diligently.
When the lifecycle of your electronic equipment reaches the end, there are several things you need to consider.
Firstly, draw up a full asset inventory so that you know exactly what it is you are disposing of and detail Manufacturer, Model Number, Serial Number and any associated asset tag so that you can easily identify each and every piece of equipment.
What will happen to these devices that are no longer needed? Will they be redeployed into other areas of the business, be made available for reuse or will they be recycled or destroyed?
If you are involving a specialist IT Disposal Company, make sure that you include details in your security policy regarding how the chain of custody is managed. Devices should never leave your organisation before you have established who is responsible for carrying out data deletion on your equipment, so ensure that they are accredited to the relevant standards, ISO 9001 and 27001 as a minimum.
If you use a specialist asset Disposal Company to recycle your old electronic equipment it will be defined as a ‘data processor’.
As the asset disposal company will be acting on your behalf, you will be responsible under GDPR for what the provider does with any personal data contained on the devices that it is recycling. If the provider does not successfully delete personal data that is subsequently compromised, you may be responsible for the breach.
Choose an IT asset disposal company that provides sufficient guarantees about its security measures. You should be satisfied that your service provider will treat the personal data with the same level of protection, or better, as you.
Check for independent approval of products used in the deletion process such as CESG, the UK Government’s national technical authority for information assurance and ensure that you will receive data deletion certificates for each and every product wiped. If possible, conduct a client site assessment and audit of your chosen disposal company. Continue to audit the data processor for compliance throughout the business relationship.
Where possible – and as another layer of security – ask for all data wiping to be carried out on your own premises; this allows you to monitor all activities.
Also, draw up a contract with the data processor. GDPR sets out that a written contract must be in place between your organisation and the data processor, so that both parties are aware of their obligations.
Ensure that your contract also includes: explicit direction on the services to be undertaken and that it may only act in accordance with your instructions and an approved specification for IT asset disposal which is aligned to your disposal/security policy; and full details of all downstream partners involved in the service.
Any downstream partner contracts should include the same data controller specification for IT asset disposal as the minimum service level to be met.
GDPR compliance is slowly finding its feet. The surfeit of emails flooding your inbox has ended, but the reality of GDPR will only kick in when due care and attention is given to how electronic equipment and other similar assets are disposed of with exceptional due care and attention.