Organisations who dispose of their redundant IT must not only consider compliance with Environmental Legislation. The Data Protection Act 2018 and the General Data Protection Regulation 2018 are also applicable to IT Disposal, and failure to comply with both pieces of legislation can have even graver commercial implications.

Data Protection Act (DPA) 2018 & General Data Protection Regulation (GDPR) 2018

Both the DPA and the GDPR put further legal obligation on companies with respect to disposing of IT Equipment.

If your organisation processes personal data, you are responsible for doing so in line with both pieces of Data Protection Legislation. Processing, as defined in the legislation, includes every aspect of collecting, storing, and modifying this data – and importantly for IT Asset Disposal, also includes destruction of this data.

As part of the eight data protection principles that your organisation (the Data Controller) must comply with to protect client and individual data, there is an obligation to use ‘appropriate and technical organisational measures’ to protect personal information.

This means that your organisation retains liability for the information, as well as full control over its use,  even when a third party data processor (e.g. an IT Asset Disposal Company) carries out the processing  step that relates to the destruction of data. Any data breaches that occur as a result of the IT Asset Retirement process are the Data Controller’s responsibility and it is the Data Controller who will be investigated and fined by the ICO.

This liability highlights the importance of choosing an IT Disposal partner with great care.

The Information Commissioner’s Office (ICO), who are responsible for upholding the DPA and the GPDR, have recognised IT Asset Disposal as a major area of weakness for many companies in terms of their data protection obligations. As such, it recently produced guidance notes for organisations that can be found here

In summary, the key steps recommended by the ICO to demonstrate ‘appropriate technical and organisational methods’  in choosing and managing an IT Asset Disposal company are:

  • Create an IT Asset Disposal Strategy
  • Assign an Asset Disposal Champion
  • Select an IT Asset Disposal Company that can demonstrate its ability to ensure security
  • Draw up a contract with the Disposal Company that defines obligations
  • Regularly audit their services