If you’re still concerned about your organisation’s GDPR compliance, then the best place to look for advice is the ICO’s Guide to GDPR. This document outlines every detail of the new legislation, from the principles behind the Act to key definitions (like what exactly is meant by ‘personal data’), accountability and governance.
Let’s not forget, failure to comply with GDPR could mean a hefty fine – up to 4% of global turnover, or €20 million – so it’s worth getting it right.
Steps you’ll need to take include identifying all the places where personal data is stored, and being aware of the specific lengths of time for which different types of data need to be protected. At the very least, you’ll need a policy for data security and data disposal in your organisation, and you’ll need to appoint a responsible staff member to manage this.
It’s also important to educate all of your staff on GDPR processes and make sure everyone is aware of the legislation. There’s no point in having a policy if nobody bothers to follow it.
If you’re using a specialist asset disposal company (known as a ‘data processor’) to dispose of old IT equipment, then make sure you’re happy with their approach, credentials and security measures. The DPA requires a written contract to be in place between your organisation and the data processor, which details the services to be undertaken and includes all downstream partners involved in the service, ensuring full transparency and responsibility.
So when the time comes to dispose of IT assets, DON’T FORGET:
Create an Asset Disposal Strategy, which covers IT asset disposal and personal data deletion
Include in this strategy whether these assets will be reused, recycled or destroyed. The ICO’s guide to Deleting Personal Data is useful here
Remember to consider other electronic devices in relation to GDPR, such as printers, faxes, servers, smartphones, tablets and USB or backup storage
Update your organisation’s security policy and make sure that all staff are aware of recent legislative changes and how they affect procedures
Determine whether you will carry out these actions in-house, or appoint a data processor
If you appoint a data processor, make sure that a written contract is in place
The new regulations surrounding the removal, wiping and destruction of electrical waste under GDPR are a welcome improvement to information handling and privacy laws. But it’s also a bit of a headache for many organisations.
If you’d like some help with the process, then please give us a call on +44 (0)203 0922 787 or email us here.
Richard Ellis | RELLTEK