UK Expert says ITAD an Often Overlooked Area in Data Protection
Stiff fines await Canadian companies doing business in Europe or with EU citizens if they fail to safeguard their clients’ data under the EU’s new General Data Protection Regulation (GDPR) – including in their IT asset management.
That means if your company in Canada sells to EU clients or monitors EU-based individuals (including Canadian citizens in the EU), you’ll have to deal with data in line with the GDPR or risk a fine. And the fines could be crippling to small-and-medium-sized businesses. The maximum fine under the GDPR is the larger of 20 million Euros (approximately $32 million CDN) or four percent of your company’s global revenue.
This could be the first time you’re investigating GDPR and the effect it may have on your IT asset management. To comply, you’ll need to act fast. The regulation goes into effect May 25, 2018.
A recent, small sample Commvault survey showed that worldwide only 12 per cent of companies say their data policies comply with GDPR. Further, 58 per cent of US companies believe they will be fined under the new rules.
GDPR Applies to End-of-Life Asset Management
Data is the new international currency and the GDPR was built to protect citizen information at every stage of the data’s lifecycle – right from something as small as an email signup through to how that data is handled after IT end-of-life assets are erased, destroyed or repurposed.
Tim Bell, UK lawyer and Managing Director of Data Protection Representatives, a company that helps clients outside the EU navigate GDPR compliance, said consumers know data is critical to business success today and corporations will have a competitive advantage if they can offer cutting-edge data privacy standards.
“(Customers) increasingly expect their data to be protected by the companies they supply it to and will vote with their feet (and wallets) where that isn’t the case,” Bell said at a recent privacy and data conference in Calgary, Alberta.
IT asset management, specifically the disposition of end-of-life infrastructure, is one area of data management often overlooked, Bell said in an interview.
“That’s not to suggest that we believe data controllers or processors are simply leaving old data storage devices on the curb for the garbage man to collect,” he said via email.
“But the original owners of those assets, as well as the disposal company (who act as processors on behalf of the controller/processor disposing party) will need to ensure GDPR is taken into consideration in such disposal.”
Bell said the deletion and destruction of personal data falls under Article 4(2) in the GDPR and IT assets containing data also fall under the regulation. IT asset management – or the handling and destruction of those end-of-life assets – must be in compliance with the GDPR the same way they would if they were in the ‘use’ phase of the lifecycle to avoid fines.
Not Hiring ITAD Specialists Poses Greater Risk; May Not Be GDPR Compliant
A late 2017 study of 301 IT professionals by TechReset and Leger, showed that while nine in 10 of them said data was a primary concern for their company when disposing of IT assets, only two in 10 hire a company that specializes IT end-of-life asset disposition.
“The results indicate that companies may be risking more than they realize when upgrading IT equipment,” Jack McSorley, CEO of TechReset, a leading Canadian IT asset disposition company, said at the time.
“Companies often limit their thinking to processes surrounding cyber security, with much less regard to the all-important data passed on through equipment replacement.”
And now, companies in Canada could be risking more than the average $5.78 million cost for a data breach with possible fines if they’re found in contravention of the GDPR.
With the May 25 deadline looming, Canadian companies will have a small window to ensure their IT asset management complies with the EU’s new data regulation.