Both the DPA and the GDPR put further legal obligation on companies with respect to disposing of IT Equipment.
If your organisation processes personal data, you are responsible for doing so in line with both pieces of Data Protection Legislation. Processing, as defined in the legislation, includes every aspect of collecting, storing, and modifying this data – and importantly for IT Asset Disposal, also includes destruction of this data.
As part of the eight data protection principles that your organisation (the Data Controller) must comply with to protect client and individual data, there is an obligation to use ‘appropriate and technical organisational measures’ to protect personal information.
This means that your organisation retains liability for the information, as well as full control over its use, even when a third party data processor (e.g. an IT Asset Disposal Company) carries out the processing step that relates to the destruction of data. Any data breaches that occur as a result of the IT Asset Retirement process are the Data Controller’s responsibility and it is the Data Controller who will be investigated and fined by the ICO.
This liability highlights the importance of choosing an IT Disposal partner with great care.
The Information Commissioner’s Office (ICO), who are responsible for upholding the DPA and the GPDR, have recognised IT Asset Disposal as a major area of weakness for many companies in terms of their data protection obligations. As such, it recently produced guidance notes for organisations that can be found here.
In summary, the key steps recommended by the ICO to demonstrate ‘appropriate technical and organisational methods’ in choosing and managing an IT Asset Disposal company are:
- Create an IT Asset Disposal Strategy
- Assign an Asset Disposal Champion
- Select an IT Asset Disposal Company that can demonstrate its ability to ensure security
- Draw up a contract with the Disposal Company that defines obligations
- Regularly audit their services