GDPR Regulations You Need to Understand & How Wisetek Can Help
Secure data destruction and disposal is growingly one of the biggest concerns to businesses today. Organizations that fall victim to data breaches is alarmingly routine around the world and the amount of coverage surrounding events like the Equifax hacking scandal that stole the data of 145 million people reflect the growing concern for protecting your customer’s information. Currently, many businesses outsource their IT asset disposal to specialist, third party IT Asset Disposal firms like Wisetek to ensure regulatory compliance, mitigate any risk and free up business resources.
The General Data Protection Regulations (GDPR) are coming into play on May 25th 2018. The GDPR rules are stricter than the existing Data Protection Act (DPA) so changes to your data handling are required. Despite many efforts made by companies who handle the personal data of EU citizens , a large number of these organizations remain far from ready and some even unaware of the need for GDPR compliance on the side of IT asset disposition (ITAD).
Under the new regulations, any organization that falls victim to a data breach only has 72 hours to report it and if they are found to be in breach of the GDPR guidelines, they could be fined 4% of the business’ annual turnover or €20 million (whichever is greater). Evidently, it is crucial that your organization is fully compliant with the GDPR.
Some requirements you need to be aware of to be compliant with GDPR:
If your organization operates in more than one EU member state, your lead data protection supervisory authority should be determined and documented. The lead authority is the supervisory authority in the state where your main office/facility is. It is the location where your central administration in the EU is or else the location where decisions about the proposed and means of processing are taken and implemented.
This is only relevant if you carry out cross-border processing. For example, if you have facilities in more than one EU member state or you have a single site that in the EU that carries out processing which substantially affects individuals in other EU states.
If this applies to your business, you should map out where your organization makes its most significant decisions about its processing activities. This will help determine your ‘main facility’ and therefore, your lead supervisory authority.
Be Aware – Controllers and Processors are Now Both Responsible
All key decision makers in an organization should be aware that the law is changing to the GDPR. Under the current DPA, it is only data controllers that are responsible for the secure disposal of IT assets. However, the GDPR outlines that data processors will now be held responsible too. The impact that it will have is vital therefore it is important to identify the areas that could cause compliance issues under the new requirements. No matter how minimal the contact with personal data, compliance is still compulsory.
E2E Track & Trace is a Must for Personal Data
Personal data that your organization stores will need to be recorded through its entire lifecycle, regardless of the size or nature of the business. It must also be outlined what personal data is being stored and what it is used for as well as proof of consent to use the data. How the data is being protected is also required to be proven along with where it goes after it is no longer needed.
Not only this, but there are many reasons that you could need to know what information you hold about an individual. With the ‘Right to be Forgotten’ being introduced, you need to know what information you hold in order to ensure that all the information is removed. It must be remembered that under the new regulations, personal data covers different pieces of information ranging from names and images to IP address and medical information.
Disposal Must Be Fully Auditable
In order to show complete compliance with GDPR, you must be able to audit the data trail. Your IT assets for disposal should be collected by a traceable company and stored in a secure facility that use secure software or physical destruction methods appropriate for the data bearing media. It should also be possible to trace how data was erased and/or destroyed and by whom. This helps to guarantee complete accountability for data throughout the process.
Not only is GDPR compliance critical to protect your clients’ information but failure to do so could actually put your entire company at risk. This means that it is more important than ever to protect yourself from a data breach at every stage of the data management process, especially for end of life data and IT assets.