More than 100 countries around the world have enacted data protection regulations to help control the access and use of personal and private data. These global efforts to help protect personal data and prevent data breaches have been in response to the large increase in data incidents that have evolved over the past few years. Data breaches are happening more frequently with 2019 deemed by Help Net Security as the worst year ever for data security.
Experian disclosed data breach trends from the previous year in a recent report forecasting 2020 trends. Trends included phishing, hacking, “deepfake” video and audio technology, online hacktivism, and e-skimming for mobile payments. The common thread woven into each of these trends, is the fact that they are all facilitated through electronic devices. Devices we use every day and upgrade regularly.
Implementing a comprehensive disposal plan for all electronics will always be necessary to ensure both consumers and businesses of data protection. A company’s IT asset disposition (ITAD) plan must consider protection against various types of threats, as well as compliance with existing regulations. It is important to be familiar with all local and regional regulations, but there are some that may affect you, no matter where you, or your business, is located.
Here is a list of some regulations affecting global IT asset disposition today.
General Data Protection Regulation (GDPR)
In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR is a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or 4 percent of global revenue.
Sector-Specific U.S. National Privacy or Data Security Laws
In the United States, there is a patchwork of different legislation for different industries including:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects healthcare patient data,
- The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) which are directed at financial institutions,
- The Payment Card Industry Data Security Standard (PCI DSS) which applies to companies who accept credit card payments, and
- The Family Educational Rights and Privacy Act (FERPA) legislation that protects the privacy of students by ensuring their education records are protected.
California Consumer Privacy Act (CCPA)
California passed a digital privacy law, the California Consumer Privacy Act (CCPA). When compared to the GDPR, the CCPA takes a broader approach on what it constitutes as sensitive data. This privacy law will provide consumers with the right to know what information companies might be collecting about them and why, and will require companies to remove and dispose of that data per consumer request. This new legislation went into effect Jan. 1, 2020.
Lei Geral de Proteção de Dados Pessoais (LGPD) – Applicable August 15, 2020
Similar to the European GDPR, Brazil passed the Lei Geral de Proteção de Dados Pessoais (LGPD) law to secure the privacy of Brazilian users. This framework applies to organizations that offer their services to people in Brazil, and outlines the use and processing of personal data of Brazilian users, regardless of where the data processor is located. Penalties for noncompliance are listed as 2 percent of the company’s Brazilian revenue of up to $50 million per violation.
Australia Privacy Act 1988
Australia has the Australian Privacy Act that requires individuals be notified if their personal information was involved in a data breach. In February 2018, the Australian government established a privacy amendment titled the Notifiable Data Breaches Act 2017. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information.
Uganda Data Protection and Privacy Law
Uganda, which is known to be the “most secure cyberspace in Africa”, signed their own Data Protection and Privacy Bill into law in February 2019. The aim of this law is to protect the personal identifiable information (PII) of Uganda citizens.
While there are various data privacy laws around the world, some of the countries considered to have the heaviest data protection laws include Austria, Australia, Belgium, Canada, France, Hong Kong, Ireland, Italy, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, United Kingdom and the United States.
Your IT asset disposition company should be able to offer expertise on which regulations and laws pertain to you depending on where you are located, and the facility nearest you that will process your material.