The EU General Data Protection Regulations (EU GDPR) entered into force in May 2016 and enters into application on May 25th, 2018 after a two-year transition period. Unlike a Directive, it does not require any enabling legislation to be passed by governments.
The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The Regulations mean that all organisations including local authorities will have to face many compliance challenges with significantly increased penalties. The penalties for a data breach are currently capped at £0.5M but under the new regulations fines can be as high as 20 Million Euro’s.
'A Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In order to avoid the penalties local authorities will need to adopt robust procedures to protect personal data not only through its life but right to the point of its disposal.
One of the key elements of the EU GDPR is that third party organisations that handle personal data on behalf of a local authority will be classed as a ‘data processor’ and will carry the same levels of liability for a breach as the local authority (data controller).
It is therefore key that when sourcing suppliers that will be classed as data processors the local authority carry out their due diligence in ensuring they have the procedural and financial standing to be able to take on this shared risk and provide suitable mitigation.
Other relevant elements of the EU GDPR is mandatory breach notification to the authorities within 72 hours of discovery, adherence to a code of conduct and certification scheme, and operate under the terms of a contract. Local authorities will also be responsible for carrying out a data protection impact assessment for data processing operations and use only processors who provide sufficient guarantees to implement appropriate technical and organisational measures.
Following the Brexit vote earlier this year a common misconception is that the EU GDPR can be ignored. If and when Article 50 is triggered the UK will then have two years to negotiate its exit from the EU so the regulations will already be in force at that point. Irrespective of this, the ICO are highly likely to maintain the requirements of GDPR ensuring the UK regulatory parity with our EU neighbours, otherwise it will become a further barrier to trade as the cross border transfer of data will become much harder.
Typically within local authorities the disposal of redundant ICT equipment often sits with the IT manager, there isn’t always a budget for the disposal and their objective is to free up space making room for new equipment at the lowest possible cost to the authority. It’s the same IT manager who will be tasked with implementing effective network protection to ensure no data can be accessed externally, but as soon as the hardware is replaced their buying requirement often changes to focus on cost rather than business risk.
With the implementation of the EU Data Protection Regulations, we are expecting to see a change in behaviour in local authorities with a much greater focus on the protection of data through the whole lifecycle of the equipment. All public organisations will be required to have a named person in place with the responsibility for data protection. The data protection officer will understand the increased financial risk that the organisation takes on as a data controller and that any data processor they work with for IT asset disposal provides sufficient guarantees to meet the Regulation’s requirements.
The disposal of data bearing assets will no longer be down to an issue of space, the mind-set of organisations will change to understand the threats of a data breach from cradle to grave, the disposal will become part of the equipment’s lifecycle until such point it has been certified as ‘data safe’.
James Burkimsher is business development manager at Arrow Value Recovery