How will GDPR affect your business?
19th December 2017
In the data protection world, there are currently 4 letters on everyone’s lips: GDPR. In case you haven’t come across one of the many LinkedIn posts on the subject, GDPR stands for General Data Protection Regulation.
In the data protection world, there are currently 4 letters on everyone’s lips: GDPR. In case you haven’t come across one of the many LinkedIn posts on the subject, GDPR stands for General Data Protection Regulation. It represents a significant overhaul of the current legislation around data (the EU Data Protection Directive, and the UK Data Protection Act 1998). Introduced in April last year, the Information Commissioner’s Office (ICO) and countless other third parties have been urging businesses to put processes in place to ready themselves for the end of a two year grace period on the 25th May 2018.
As this date draws ever closer, the question on many business owner and senior manager’s minds is: how will GDPR affect my business?
In short, it shouldn’t, as long as you have the correct procedures and processes in place to ensure compliance. Sounds pretty simple, no?
The truth is, if you’re doing data protection correctly now, you should be able to make the slightest tweaks to your processes in order to comply. And if you haven’t done this already, time is most definitely running out!
There are a number of ways GDPR will change the way businesses deal with data, and a lot is being made of its impact on marketing and consent. But as it’s closest to our remit, we’ll take a look at data protection in the context of end-of-life IT assets here.
Here are a number of processes and principles that GDPR brings into force that will affect your business.
“Whenever a controller uses a processor it needs to have a written contract in place.”
This means that if you use a third party company to process data in any way (such as an IT asset disposal company), then you need to have a written contract in place indicating each party’s responsibilities and liabilities. Under the Data Protection Act, this is way of demonstrating compliance with principle 7 (information security), but under GDPR, it is an actual requirement. This means that if you use a third party data processor and don’t have the proper contract in place, you will both be in breach of GDPR. And that’s not good.
There is quite a long list of what should be included on the ICO’s website, but to give a brief summary, it should state:
How long the data will be processed for
The nature and purpose of the processing (in the case of ITAD it would be deletion)
What type of data is being processed
The rights and responsibilities of the controller (you)
It’s worth noting that although it isn’t necessarily the sole responsibility of the processor to ensure the contract is in place, if an ITAD firm is not forthcoming and explicit with this upfront, you should probably avoid them.
Speaking of avoiding ITAD companies without the proper processes, here’s another thing to look out for. ICO guidelines on the GDPR state that “signing up to a code of conduct or certification scheme is not obligatory”. We’ve seen some ITAD businesses claim that using a company that doesn’t hold relevant certifications related to data processing is in breach of GDPR. This is a little misleading. As you can see from the quote above, the guidelines state it is not obligatory. However, that doesn’t mean it’s not a good idea to select an ITAD supplier with these certifications. As they’re signed up to a certification scheme, it’s a good indication that their processes comply with some of the most critical elements of the GDPR. Some of the certifications to look out for are:
ADISA (Asset Disposal & Information Security Alliance) certification - global industry standards for IT Asset Disposal
27001 Information Security Management
Blancco partnership - Blancco is an industry leading data erasure platform
Internally, it might be a good idea to pursue a certification or code of conduct scheme yourselves. This will help you put procedures in place to ensure compliance with GDPR. Check out Cyber Essentials as a good starting point.
This is another key one. It’s not currently an obligation under the Data Protection Act to document your data processing activities. This is not the case with GDPR. Guidelines state that you must maintain internal records of data processing. This should certainly cover off the processing and storage of customer and employee data, and the purpose of doing such, but don’t forget that you will also need to ensure that you document what happens to your data when it goes out the door. If you are using a third party ITAD partner to destroy data bearing hardware, you must ensure that this document is produced. Any reputable ITAD worth their salt will offer you certificates of destruction and asset reports as standard. Once again, it is not necessarily their sole responsibility to provide it, but avoid ones that don’t offer it up front. If you were paying attention to section one, you’ll know that you’ll need to get a contract or service level agreement in place with an ITAD provider before you hand over your end-of-life equipment. Make sure documentation is mentioned in this contract.
The industry likes to stir up a lot of fear and uncertainty around GDPR and how it will affect businesses. Ultimately - particularly when it comes to data processing and ITAD - it covers off things you should really be doing anyway, but just puts the mechanisms in place to make non-compliance more serious. At XPO, we hold the 270001 certification, as well as being a partner of industry-leading data destruction software Blancco. We ensure that contracts and SLAs are in place before the first collection, and provide the relevant documentation for your records auditing purposes. If you would like to discuss further, get in touch.