IT asset disposition: A necessary part of GDPR compliance
Corporations who handle EU citizen data are in a frenzy to meet the GDPR's compliance deadline, but are they missing a critical piece at the end of the data life cycle? Learn how IT asset disposition is a necessary part of GDPR compliance.
Many organizations that keep or process personal data of EU citizens are hard at work trying to reach the May, 2018 compliance deadline for the EU's General Data Protection Regulation (GDPR). Yet, despite these efforts, a large number of organizations remain far from ready. Many also remain unaware of the need for GDPR compliance at the far side of their asset life cycle: namely, the point of IT asset disposition (ITAD).
Proving GDPR compliance with a formal ITAD policy is important, but often overlooked. Fortunately, good advice can make it easier to develop an ITAD policy.
The GDPR, ITAD and a Continued Risk of Data Breach
Legal advisers, such as those in Lexology, talk about the GDPR's expanding roles of Data Controller (DC) and Data Processor (DP). For IT asset disposition, the use of outsourced ITAD vendors now falls under the GDPR requirements for Data Processors (as well as any third-party sub-processors they may use).
A related area that remains top-of-mind for most CIO's, according to Brooks Hoffman, Principal of Data Management at Iron Mountain, is avoiding a potential data breach of EU citizens' personal data.
"The ITAD business is still a little bit of the Wild West. There are some companies out there that don't do everything the right way. It's easy to cut corners. If you do," he warns, "it could come back to bite you. It could even result in a data breach."
Into the Breach: Clearly Spelling Out ITAD Safeguards
For ITAD, such personal EU citizen data might reside on one or more end-of-life PCs, laptops, servers or hard drives. Here, it's imperative to have both a formal ITAD policy spelled out by the Data Controller as well as a formal contract between the Data Controller and any ITAD vendor or Data Processor.
Such formal policy and contract documents should describe how personal data will be identified and how such data will be securely removed on end-of-life IT assets now earmarked for recycling or remarketing. Appropriate roles and chain-of-custody procedures for the asset disposition process should also be clearly spelled out.
Also needing to be formally defined with the Data Controller and Data Processor are any data-breach notification procedures to be followed. Data Processor plans to prevent such a breach should be formally documented in writing, as well as any post-breach processes and financial commitment of the DP to remediation.
"If you plan to use an outside ITAD partner, it's one thing for them to say, 'We will perform data breach notification within 72 hours and set up all credit monitoring in the aftermath of a breach,'" says Hoffman. "But, you also need to make sure that the vendor financially handle any specific breach notification and follow-up requirements."
Here, he says, it pays to make sure that the ITAD vendor is well-capitalized, reputable, and industry certified by an accredited third-party. In case of a potential data breach, Hoffman says, look especially for vendors with sufficient coverage in the areas of Errors and Omissions insurance or Cyberliability.
There are also other desirable characteristics to look for when evaluating ITAD vendors and defining ITAD policy. This reference article covers some of them. Interestingly enough, a Data Processor Questionnaire developed in the Channel Islands may help spark more policy areas for evaluating vendors or formalizing ITAD policy and contract documents according to the GDPR.
Why Formalize Your ITAD Policy?
It's good business to formalize best practices and policies surrounding the proper storage, management, and disposition of citizens' data. Yet, it's also true that the stiff potential penalties of GDPR non-compliance now make formalizing this good practice more of a 'stick' (to force compliance) versus a 'carrot' incentive.
"The GDPR is really an evolution in the global trend toward data privacy. What makes it a game-changer is that it gives individuals very powerful rights to opt-out of having their data tracked and stored by companies. That raises the stakes and the fines for non-compliance are astronomical," says Hoffman. "This makes it more important than ever to have a formalized, over-arching ITAD policy - especially in larger companies where each office might otherwise do things a little differently. If 75% of the organization does ITAD the right way, it means that 25% is doing things the wrong way. That's a problem."