Asset Disposal is a major area of liability under the Data Protection Act and the General Data Protection Regulation. Would you be found negligent if you had a data breach?

If your organisation processes personal data, you are responsible for doing so in line with the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) 2018.

Processing, as defined in the legislation, includes every aspect of collecting, storing, and modifying this data – and importantly for IT Asset Disposal, also includes destruction of this data.

As part of the eight data protection principles that your organisation (the Data Controller) must comply with to protect client and individual data, there is an obligation to use ‘appropriate and technical organisational measures’ to protect personal information.

This means that your organisation retains liability for the information, as well as full control over its use, even when a third party data processor (e.g. an IT Asset Disposal Company) carries out the processing  step that relates to the destruction of data. Any data breaches that occur as a result of the IT Asset Retirement process are the Data Controller’s responsibility and it is the Data Controller who will be investigated and fined by the ICO.

This liability highlights the importance of choosing an IT Disposal partner with great care.

The Information Commissioner’s Office (ICO), who are responsible for upholding the DPA and the GPDR, have recognised IT Asset Disposal as a major area of weakness for many companies in terms of their data protection obligations.

As such, it recently produced guidance notes for organisations that can be found here

In summary, the key steps recommended by the ICO to demonstrate ‘appropriate technical and organisational methods’  in choosing and managing an IT Asset Disposal company are:

  • Create an IT Asset Disposal Strategy
  • Assign an Asset Disposal Champion
  • Select an IT Asset Disposal Company that can demonstrate its ability to ensure security
  • Draw up a contract with the Disposal Company that defines obligations
  • Regularly audit their services


This can seem complicated so, to help, Re-Tek have created an interesting infographic about complying with data protection legislation in IT disposal, click the link to download:

Complying with Data Protection Regulation in IT Disposal