Elevate the power of your work
Få en GRATIS konsultasjon i dag!
Are you fully GDPR compliant? Learn how IT asset disposition and a formal SITAD policy are vital parts of GDPR compliance.
Corporations who handle EU citizen data must now adhere to GDPR compliance. But failing to consider the end of the data life cycle could mean that they're falling short of the mark. Learn how IT asset disposition is an essential part of GDPR compliance.
Many organisations that keep or process the personal data of EU citizens found themselves in a last-minute panic ahead of the May 2018 compliance deadline for the EU's General Data Protection Regulation (GDPR). GDPR compliance forced organisations to recognise the extent of all their assets, including those at the far side of their asset lifecycle: namely, the point of IT asset disposition (ITAD).
Proving GDPR compliance with a formal ITAD policy is important, but often overlooked. Fortunately, good advice can make it easier to develop an ITAD policy.
GDPR has introduced the expanding roles of Data Controller (DC) and Data Processor (DP). For IT asset disposition, the use of outsourced ITAD vendors now falls under the GDPR requirements for Data Processors (as well as any third-party sub-processors they may use).
A related area that remains top-of-mind for CIO's, according to Brooks Hoffman, Principal of Data Management at Iron Mountain, is avoiding a potential data breach of EU citizens' personal data.
"The ITAD business is still a little bit of the Wild West. There are some companies out there that don't do everything the right way. It's easy to cut corners. If you do," he warns, "it could come back to bite you. It could even result in a data breach."
For ITAD, such personal EU citizen data might reside on one or more end-of-life PCs, laptops, servers or hard drives. Here, it's imperative to have both a formal ITAD policy spelled out by the Data Controller as well as a formal contract between the Data Controller and any ITAD vendor or Data Processor.
Such formal policy and contract documents should describe how personal data will be identified and how it will be securely removed on end-of-life IT assets earmarked for recycling or remarketing. Appropriate roles and chain-of-custody procedures for the asset disposition process should be spelled out clearly.
Also needing to be formally defined with the Data Controller and Data Processor are any data-breach notification procedures to be followed. Data Processor plans to prevent a breach should be formally documented in writing, as well as any post-breach processes and financial commitment of the DP to remediation.
"If you plan to use an outside ITAD partner, it's one thing for them to say, 'We will perform data breach notification within 72 hours and set up all credit monitoring in the aftermath of a breach,'" says Hoffman. "But, you also need to make sure that the vendor financially handles any specific breach notification and follow-up requirements."
Here, he says, it pays to make sure that the ITAD vendor is well-capitalised, reputable, and industry certified by an accredited third-party. In case of a potential data breach, Hoffman says, look especially for vendors with sufficient coverage in the areas of Errors and Omissions insurance or Cyber liability.
There are also other desirable characteristics to look for when evaluating ITAD vendors and defining ITAD policy. This reference article covers the questions you need to be asking of them. Interestingly, a Data Processor Questionnaire developed in the Channel Islands may help spark more policy areas for evaluating vendors or formalising ITAD policy and contract documents according to the GDPR.
It's good business to formalise best practices and policies surrounding the proper storage, management, and disposition of citizens' data. Yet, it's also true that the stiff potential penalties of GDPR non-compliance now make formalising this good practice more of a 'stick' (to force compliance) versus a 'carrot' incentive.
"The GDPR is really an evolution in the global trend toward data privacy. What makes it a game-changer is that it gives individuals very powerful rights to opt-out of having their data tracked and stored by companies. That raises the stakes, and the fines for non-compliance are astronomical," says Hoffman. "This makes it more important than ever to have a formalised, over-arching ITAD policy - especially in larger companies where each office might otherwise do things a little differently. If 75% of the organisation does ITAD the right way, it means that 25% is doing things the wrong way. That's a problem."