February 15, 2018
The General Data Protection Regulation (GDPR) is about more than the “right to be forgotten.”
May 2018 is right around the corner. Is your organization prepared to comply with GDPR?
The General Data Protection Regulation is, at its core, a code of good practice for handling and processing personal data…with the primary differences between this and earlier standards being the detail and rigor of the regulations and the fact that
this code has very sharp and significant teeth. Fines for non-compliance can be up to 4% of a company’s total global revenue or €20 / $24.8 / £17.7 million, whichever is greater. And with potential fines this large, international media scrutiny of any incidents will be intense. Together, substantial fines and negative publicity form a significant incentive for companies to ensure procedures, practices, and performance comply with the new regulations.
What does the GDPR cover?
The GDPR is a comprehensive set of rules around how data is collected, secured, managed, processed, retained, and deleted.
Also of note: the GDPR gives more control over personal data to the individual, starting with permission and consent for data controllers to collect and process personal data in the first place.
Gone are the days of impenetrable legal jargon and fine print, as well as the need to specifically opt out of data collection. With the GDPR, a company who collects sensitive personal data must first seek and receive explicit consent from the data subject prior to collection…and they must seek that consent using plain, easily understood language. Not only must an individual “opt in” to allowing their sensitive personal information to be held and processed, this same individual may “opt out” at any future time.
The requirements that supports an individual’s right to withdraw consent – and the significant change in “ownership” of personal information this implies – is why you’ve heard so much about “the right to be forgotten.” Once consent is revoked, companies must be able to find and expunge an individual’s data from any system on which it resides. And this in turn means that tighter controls and far more rigorous oversight become mandatory.
Overall, the GDPR’s principles may be viewed as enhancements to and codification of existing best practices:
- personal data can only be collected and processed under specific conditions
- no more data than is necessary may be collected
- data must be accurate and up-to-date, and should not be retained any longer than is necessary to fulfill the purpose for which it was collected
- use and storage of personal data is subject to the rights of the individual
- data must be protected against accidental loss, destruction, or damage
- technical and organizational security measures must be implemented to prevent unauthorized or unlawful access
- any transfer of data to – or processing of data outside of – the European Economic Area must include adequate protections to ensure compliance with GDPR
- data must be protected and managed throughout the lifecycle, including when the device on which it resides is removed from service
- organizations must maintain records and be able to prove compliance, even in the absence of a breach.
But we already know data security is important…
You’d have to be living in a cave without internet access to have missed some of the major data breach stories of 2017. But in the rush to ensure security and compliance for “live” data – that is, data in active use – it’s easy to overlook the fact that the GDPR also includes requirements around data handling for devices at end-of-life…and that’s often the time data is most vulnerable.
More than ever, when assets are removed from service prompt data erasure is essential to eliminate any possibility of a breach. Further, to sanitize assets and be GDPR compliant, you must use methods and follow processes that have been shown to be effective. And finally, you must also be able to provide formal, written documentation to regulators to confirm data has been erased from all devices.
To ensure all these requirements are met, most companies choose to contract with an experienced IT Asset Disposition provider…one who uses proven, internationally-recognized erasure products and protocols and one who will provide a Certificate of Data Destruction that’s tied to the serial number of each device, whether that device is recycled or remarketed.
Since certified data erasure at device end-of-life and the contractual obligations to comply with GDPR will be necessary after May 25
th, how do you recognize an ITAD provider who will not only ensure compliant data erasure but also withstand GDPR compliance scrutiny? Particularly since the GDPR does not yet include any relevant certifications for ITAD providers.
A useful guide in the absence of a GDPR-specific certification is ISO 27001 certification, particularly when held by an ITAD provider who classifies personal data as an information security asset and keeps records of all processing activities.
How does holding ISO 27001 certification support GDPR compliance? ISO 27001 is an internationally recognized standard that provides a framework for:
- a culture of security awareness with clear, documented standards, procedures, and proofs
- asset management with formal contractual agreements between the company removing assets from service and the ITAD provider who will handle them
- risk assessment and classification of information in relation to legal requirements
- compliance with legislative requirements and contractual obligations
- technical controls with active monitoring of all process steps
- notification of potential or actual breach within 72 hours of discovery
- information security
Naturally as the GDPR evolves additional certifications or specifications may emerge, but until that time an IT Asset Disposition partner who holds ISO 27001 certification is your best partner for ensuring GDPR compliance at asset end-of-life.
Want to learn more about the GDPR? Visit:
https://www.eugdpr.org/
Mary Couse
Mary has been involved with the IT Asset Disposition (ITAD) industry since 2004, however she’s been passionate about reuse and recycling since her college days.