The GDPR (General Data Protection Regulation) is the most significant change in data protection legislation to affect the ITAD industry since the WEEE directive in 2006.
This supersedes the DPA (Data Protection Act) of 1998 and provides a greater emphasis on individuals rights as well as the need for companies to justify what data they collect, how they collect it, how they use it, how long they hold it for and how they erase it.
Maximum fines have been increased significantly from £500k to €20m (or 4% of global turnover) and the ICO (Information Commissioners Office) who are in charge of enforcing it have announced they will be growing by 40% to tackle this.
With most of the emphasis of GDPR being placed on live data, ICEX are reminding companies of the increased Information Governance requirement to ensure the information it holds on individuals is removed in a secure and responsible way to ensure GDPR compliance.
When engaging with any IT Asset Disposal (ITAD) company, the following criteria should be met in order to ensure you are complying with the new GDPR regulations by implementing the right data governance procedures:
- There is a contract in place which clearly sets out the expectations between the client and ITAD
- Partners should be regularly audited
- The whole process must be traceable, also a record of individual assets processed must be made available
- NCSC (National Cyber Security Council) approved products should be used for overwriting
Our GDPR Service Level Agreement
Our Service Level Agreement (SLA) sets out the standards of service you can expect from ICEX. The agreement states what we as the supplier are contracted to in order to process your redundant IT and the data held on that equipment. This document helps you as the client meet your own compliance needs if you are ever audited.
The Environment Agency (EA) expects a business to have a programme in place to show they have a formalised process for the disposal of electronic and electrical devices. Furthermore, the Information Commissioner’s Office (ICO) have set out legal obligations for the disposal of data and ensuring good information governance.
Many of our clients are put off signing an agreement with their IT Asset Disposal provider, stating they do not wish to be tied into a contract. However, an ICEX SLA provides you with the documentation required by the EA and ICO, to prove you have a responsible plan in place for your IT recycling needs.
The SLA does not make any expectations for the number of items we will process or how often we will visit you. It is a sensible agreement between partners stating that the level of service and security for the equipment and data you are disposing of provides the frame work for good data governance during the disposal of any redundant IT assets.