Contact Us
01952 608908

To help reduce spam, please enter RVDJA into the box below:

close »
ADISA Certification Blancco NHS Information Governance Toolkit ISO 27001 ISO 14001 ISO 9001 BS EN 15713 CESG Contractors Health & Safety Assessment Scheme

How will GDPR affect your business?

In the data protection world, there are currently 4 letters on everyone’s lips: GDPR. In case you haven’t come across one of the many LinkedIn posts on the subject, GDPR stands for General Data Protection Regulation.


In the data protection world, there are currently 4 letters on everyone’s lips: GDPR. In case you haven’t come across one of the many LinkedIn posts on the subject, GDPR stands for General Data Protection Regulation. It represents a significant overhaul of the current legislation around data (the EU Data Protection Directive, and the UK Data Protection Act 1998). Introduced in April last year, the Information Commissioner’s Office (ICO) and countless other third parties have been urging businesses to put processes in place to ready themselves for the end of a two year grace period on the 25th May 2018.

As this date draws ever closer, the question on many business owner and senior manager’s minds is: how will GDPR affect my business?

In short, it shouldn’t, as long as you have the correct procedures and processes in place to ensure compliance. Sounds pretty simple, no?

The truth is, if you’re doing data protection correctly now, you should be able to make the slightest tweaks to your processes in order to comply. And if you haven’t done this already, time is most definitely running out!

There are a number of ways GDPR will change the way businesses deal with data, and a lot is being made of its impact on marketing and consent. But as it’s closest to our remit, we’ll take a look at data protection in the context of end-of-life IT assets here.

Here are a number of processes and principles that GDPR brings into force that will affect your business.



“Whenever a controller uses a processor it needs to have a written contract in place.”

This means that if you use a third party company to process data in any way (such as an IT asset disposal company), then you need to have a written contract in place indicating each party’s responsibilities and liabilities. Under the Data Protection Act, this is way of demonstrating compliance with principle 7 (information security), but under GDPR, it is an actual requirement. This means that if you use a third party data processor and don’t have the proper contract in place, you will both be in breach of GDPR. And that’s not good.

There is quite a long list of what should be included on the ICO’s website, but to give a brief summary, it should state:

  • How long the data will be processed for

  • The nature and purpose of the processing (in the case of ITAD it would be deletion)

  • What type of data is being processed

  • The rights and responsibilities of the controller (you)

It’s worth noting that although it isn’t necessarily the sole responsibility of the processor to ensure the contract is in place, if an ITAD firm is not forthcoming and explicit with this upfront, you should probably avoid them.



Speaking of avoiding ITAD companies without the proper processes, here’s another thing to look out for. ICO guidelines on the GDPR state that “signing up to a code of conduct or certification scheme is not obligatory”. We’ve seen some ITAD businesses claim that using a company that doesn’t hold relevant certifications related to data processing is in breach of GDPR. This is a little misleading. As you can see from the quote above, the guidelines state it is not obligatory. However, that doesn’t mean it’s not a good idea to select an ITAD supplier with these certifications. As they’re signed up to a certification scheme, it’s a good indication that their processes comply with some of the most critical elements of the GDPR. Some of the certifications to look out for are:

  • ADISA (Asset Disposal & Information Security Alliance) certification - global industry standards for IT Asset Disposal

  • 27001 Information Security Management

  • Blancco partnership - Blancco is an industry leading data erasure platform

Internally, it might be a good idea to pursue a certification or code of conduct scheme yourselves. This will help you put procedures in place to ensure compliance with GDPR. Check out Cyber Essentials as a good starting point.



This is another key one. It’s not currently an obligation under the Data Protection Act to document your data processing activities. This is not the case with GDPR. Guidelines state that you must maintain internal records of data processing. This should certainly cover off the processing and storage of customer and employee data, and the purpose of doing such, but don’t forget that you will also need to ensure that you document what happens to your data when it goes out the door. If you are using a third party ITAD partner to destroy data bearing hardware, you must ensure that this document is produced. Any reputable ITAD worth their salt will offer you certificates of destruction and asset reports as standard. Once again, it is not necessarily their sole responsibility to provide it, but avoid ones that don’t offer it up front. If you were paying attention to section one, you’ll know that you’ll need to get a contract or service level agreement in place with an ITAD provider before you hand over your end-of-life equipment. Make sure documentation is mentioned in this contract.


Be ready

The industry likes to stir up a lot of fear and uncertainty around GDPR and how it will affect businesses. Ultimately - particularly when it comes to data processing and ITAD - it covers off things you should really be doing anyway, but just puts the mechanisms in place to make non-compliance more serious. At XPO, we hold the 270001 certification, as well as being a partner of industry-leading data destruction software Blancco. We ensure that contracts and SLAs are in place before the first collection, and provide the relevant documentation for your records auditing purposes.  If you would like to discuss further, get in touch.

How will GDPR affect your business?

We have used the data destruction services of XPO IT on a number of occasions and have been exceptionally pleased with their levels of service, efficiency and customer care

IT Manager, Nottingham Solicitors

Glad we found out about this company. Now I can be assured that our redundant IT equipment is being correctly handled and we can get rid of our smaller WEEE waste streams in parallel

Purchasing Manager, Automotive Equipment Supplier

XPO IT offer an efficient and flexible collection service for the District Council IT disposals. They provide a Duty of Care Waste Transfer Note and Certificate of Disposal for every collection. Collection staff are always courteous and friendly and go about their work without causing any disruption to my working day

E-Business Admin Assistant, District Council

We have used XPO IT Services on numerous occasions, each time we have been very pleased with the service that they provide. Their collection/recycling scheme is the best we have used (and we have used a few!). Great service and great value for money!

Senior IT Technician, Staffordshire Hospice

XPO have always provided a high quality service.  Reliable, efficient and easy to use.  Always on time and professional with the disposal of equipment

Property Consultant, Birmingham Property Consultancy

Get in touch

Leave your details below and we will be in touch

Please enter QEZFJ into the following box: