James Burkimsher 09 November 2016

The impact of EU Data Protection Regulations on IT asset disposal

The impact of EU Data Protection Regulations on IT asset disposal image

The EU General Data Protection Regulations (EU GDPR) entered into force in May 2016 and enters into application on May 25th, 2018 after a two-year transition period. Unlike a Directive, it does not require any enabling legislation to be passed by governments.

The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The Regulations mean that all organisations including local authorities will have to face many compliance challenges with significantly increased penalties. The penalties for a data breach are currently capped at £0.5M but under the new regulations fines can be as high as 20 Million Euro’s.

'A Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In order to avoid the penalties local authorities will need to adopt robust procedures to protect personal data not only through its life but right to the point of its disposal.

One of the key elements of the EU GDPR is that third party organisations that handle personal data on behalf of a local authority will be classed as a ‘data processor’ and will carry the same levels of liability for a breach as the local authority (data controller).

It is therefore key that when sourcing suppliers that will be classed as data processors the local authority carry out their due diligence in ensuring they have the procedural and financial standing to be able to take on this shared risk and provide suitable mitigation.

Other relevant elements of the EU GDPR is mandatory breach notification to the authorities within 72 hours of discovery, adherence to a code of conduct and certification scheme, and operate under the terms of a contract. Local authorities will also be responsible for carrying out a data protection impact assessment for data processing operations and use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures.

Following the Brexit vote earlier this year a common misconception is that the EU GDPR can be ignored. If and when Article 50 is triggered the UK will then have two years to negotiate its exit from the EU so the regulations will already be in force at that point. Irrespective of this, the ICO are highly likely to maintain the requirements of GDPR ensuring the UK regulatory parity with our EU neighbours, otherwise it will become a further barrier to trade as the cross border transfer of data will become much harder.

Typically within local authorities the disposal of redundant ICT equipment often sits with the IT manager, there isn’t always a budget for the disposal and their objective is to free up space making room for new equipment at the lowest possible cost to the authority. It’s the same IT manager who will be tasked with implementing effective network protection to ensure no data can be accessed externally, but as soon as the hardware is replaced their buying requirement often changes to focus on cost rather than business risk.

With the implementation of the EU Data Protection Regulations, we are expecting to see a change in behaviour in local authorities with a much greater focus on the protection of data through the whole lifecycle of the equipment. All public organisations will be required to have a named person in place with the responsibility for data protection. The data protection officer will understand the increased financial risk that the organisation takes on as a data controller and that any data processor they work with for IT asset disposal provides sufficient guarantees to meet the Regulation’s requirements.

The disposal of data bearing assets will no longer be down to an issue of space, the mind-set of organisations will change to understand the threats of a data breach from cradle to grave, the disposal will become part of the equipment’s lifecycle until such point it has been certified as ‘data safe’.

James Burkimsher is business development manager at Arrow Value Recovery

Supporting the most vulnerable in Herts image

Supporting the most vulnerable in Herts

Hertfordshire CC is investing £9.6m to support its most vulnerable residents in overcoming the repercussions of the pandemic. Scott Crudgington explains why the council is determined to remain ‘a county of opportunity’ for all.
For your free daily news bulletin
Highways jobs

People Technology / HRIS Analyst

Essex County Council
Up to £42174 per annum
The Opportunity The People Technology / HRIS Analyst will be responsible for supporting the ongoing management of people-based technology including England, Essex, Chelmsford
Recuriter: Essex County Council

Principal Energy Engineer

Surrey County Council
£45,734 - £51,725 per annum
Do you have experience in working with delivering carbon reduction measures into a range of building projects? Surrey
Recuriter: Surrey County Council

Wellbeing and Independence Practitioner - Safeguarding

Essex County Council
£27203 - £31370 per annum
Please note, this role is a Fixed Term Contract until the end of March 2022. With us, you can achieve more - for yourself as well as those you work England, Essex, Chelmsford
Recuriter: Essex County Council

Chief Fire Officer/Chief Executive

Essex County Fire & Rescue Service
c. £150,000
Are you ready for an exciting and rewarding opportunity Essex
Recuriter: Essex County Fire & Rescue Service

Housing Development Manager

City of York Council
£36,476 to £41,830 per annum
Do you want to play a key part in the delivery of “the UK’s most ambitious council-led housing programme in a generation”? York, North Yorkshire
Recuriter: City of York Council

Public Property

Latest issue - Public Property News

This issue of Public Property examines how how flexible workspaces can lead the way in regeneration for local authorities, Why local authority intervention is key to successful urban regeneration schemes and if the Government’s challenge of embracing beauty is an opportunity for communities.

The March issue also takes a closer look at Blackburn with Darwen Council's first digital health hub to help people gain control over health and care services.

Register for your free digital issue