By now you should be aware of the EU’s General Data Protection Regulation (GDPR) but are you sure you understand how it might affect your company? Specifically when managing your organization’s IT assets? As we approach enforcement of the regulation this spring 2018, many are scrambling to have a better understanding of how to ensure compliance in every aspect of their data management. Here’s a Q and A of what we know so far.
Who does this affect?
These regulations are directed at companies with an establishment in the EU. However these regulations still apply to establishments outside Europe if they,
- Offer products and services in Europe,
- Process personal data from Europe, or
- Monitor the behavior of people in Europe.
Out of these three categories, the processing of personal data is the least straightforward. The definition of personal data is expanded under these requirements along with strengthened rights of individuals. The GDPR defines personal data as any form of identifiable information. This could include basic details such as name, email or phone number and could also represent other additional elements such as location, gender, age and IP address. Even if you have data that isn’t directly linked to an identity it may still be considered “personal data” under the GDPR. In addition, sensitive categories, such as health data, require special treatment.
What happens if my business doesn’t comply?
The most concerning risk of non-compliance is the substantial fines. Penalties for breaking the law can be up to four percent of a global enterprise’s annual revenue. Additional risks include,
- Obligatory adjustments to reporting ordered by data protection authorities,
- Reputational damage, and
- Loss of trust with partners and clients.
The risks are significant, which is why so much attention is being given to this new regulation. Your biggest chance of lowering your exposure, even during non-compliance, is to show you have a process in place and are taking preventative measures. In regards to IT asset disposition, you can update (or create) your ITAD policy to incorporate these measures as a way of documenting your process in place.
What should all organizations consider (globally) during IT asset disposition (ITAD)?
No matter where your business is located you should consider the following regarding your ITAD program:
- Conducting a risk assessment on all stored data – Review your current disposition program and determine if there are any potential security gaps.
- Documenting the process – Include the ITAD process in your privacy impact assessments.
- Auditing your ITAD vendor – Make sure the vendor you are working with has processes in place that will ensure security throughout the disposition process, as well as your compliance with GDPR as it relates to ITAD.
As a company your time is running out. If you have any chance of storing or processing any personal data from a European citizen it is recommended to act now. Managing data stored on retired IT assets is only one part of GDPR and statistics show three out of four companies are unprepared at this time. Awareness is a start, now it’s time to take some action.
[Upcoming Webinar] Learn more about how GDPR will affect your IT asset disposition process. Register now!