As an IT asset disposal company, we deal with data everyday. As such, we get a lot of questions from customers and partners around the General Data Protection Regulation (GDPR) and the effect it will have on data processing, disposal and organisations in general.
We’ve talked on the blog before about how GDPR will affect businesses, but there are some more general points and questions we thought we would address, to help everyone get fully clued up ready for the big day on the 25th May 2018.
So here are some general GDPR FAQs answered, with a slight lean towards IT asset disposal and data destruction.
When does GDPR come into effect?
We hope this is well and truly penned into your calendars by now, but the date the legislation will be in force from is the 25th May 2018. The regulation was approved and adopted by the EU parliament in April 2016, so in their eyes businesses have had plenty of time to get the right processes in place to become compliant.
What is the penalty for non-compliance?
Under the current Data Protection Act, non-compliance comes with a hefty fine of up to £500,000. GDPR ups the ante on this front, with non-compliance carrying a potential financial penalty of up to €20 million or 4% of annual turnover (whichever is larger). This is the maximum an organisation can be fined, and the penalties are tiered according to the severity of the non-compliance. Not having the appropriate consent to process customer data will land you with the maximum fine, whereas failure to notify your supervising authority of a breach, or not having the correct records of processing, you may be fined up to 2% of your revenue.
What happens after Brexit?
We’ve covered this off in detail in a recent blog post, but the short answer is: GDPR still applies, even if you operate entirely within the UK. The UK is still in the European Union until 29th March 2019, meaning that EU legislation will still apply up until this date, and after that, the government have announced that they plan to implement legislation “in the spirit of GDPR” and bring the country’s data protection laws in line with member states. If you have customers, employees or suppliers in countries which are in the EU, GDPR will apply regardless.
What is a data controller, and what is a data processor?
GDPR clearly distinguishes between two roles when it comes to the handling of data: controller and processor. The data controller is “the entity that determines the purposes, conditions and means of the processing of personal data”. The data processor is “an entity which processes personal data on behalf of the data controller”. In the context of XPO IT Services as an ITAD company, we would be the data processor, and our customer would be the data controller.
A third-party company processes my end-of-life data-bearing hardware. If there’s a breach, who is liable?
This one is nuanced, but ultimately, unless you can prove the breach was entirely the fault of the data processor – you are, as the data controller. It is your responsibility to clearly name your data processor, arrange and sign an SLA or contract with them, record and keep a record of data processing activities so they can be audited, and document the process and the responsibilities held by each party. That being said, in the event of a breach, the data processor is required to make the data controller aware without “undue delay”. Controllers are then obligated to inform a supervising authority within 72 hours. The waters are a little murky here, so it’s a good idea to have very clear SLAs or contracts as well as a meticulous audit trail in place. It’s also a good idea to work with a data processing partner you can trust, and can clearly demonstrate compliance.
What do I need to do?
If you’re currently operating in compliance with the Data Protection Act, you stand in good stead for compliance with GDPR – though you will need to ensure you have tightened up on a few things. We’re putting together a handy checklist to help you ensure that your data processing activities (particularly around end-of-life hardware) are compliant with GPDR – it’ll be available soon. In the meantime, if you’d some more advice or support, get in touch.