More than 100 countries around the world have enacted data protection regulations to help control the access and use of personal and private data. These global efforts to help protect personal data and prevent data breaches have been in response to the large increase in data incidents that have evolved over the past few years. Data breaches are happening more frequently with 2019 deemed by Help Net Security as the worst year ever for data security.
Experian disclosed data breach trends from the previous year in a recent report forecasting 2020 trends. Trends included phishing, hacking, “deepfake” video and audio technology, online hacktivism, and e-skimming for mobile payments. The common thread woven into each of these trends, is the fact that they are all facilitated through electronic devices. Devices we use every day and upgrade regularly.
Implementing a comprehensive disposal plan for all electronics will always be necessary to ensure both consumers and businesses of data protection. A company’s IT asset disposition (ITAD) plan must consider protection against various types of threats, as well as compliance with existing regulations. It is important to be familiar with all local and regional regulations, but there are some that may affect you, no matter where you, or your business, is located.
Here is a list of some regulations affecting global IT asset disposition today.
General Data Protection Regulation (GDPR)
In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR is a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or 4 percent of global revenue.
Sector-Specific U.S. National Privacy or Data Security Laws
In the United States, there is a patchwork of different legislation for different industries including:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects healthcare patient data,
- The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) which are directed at financial institutions,
- The Payment Card Industry Data Security Standard (PCI DSS) which applies to companies who accept credit card payments, and
- The Family Educational Rights and Privacy Act (FERPA) legislation that protects the privacy of students by ensuring their education records are protected.
California Consumer Privacy Act (CCPA)
California just passed a digital privacy law, the California Consumer Privacy Act (CCPA). When compared to the GDPR, the CCPA takes a broader approach on what it constitutes as sensitive data. This privacy law will provide consumers with the right to know what information companies might be collecting about them and why, and will require companies to remove and dispose of that data per consumer request. This new legislation went into effect Jan. 1, 2020.
Australia Privacy Act 1988
Australia has the Australian Privacy Act that requires individuals be notified if their personal information was involved in a data breach. In February 2018, the Australian government established a privacy amendment titled the Notifiable Data Breaches Act 2017. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information.
Uganda Data Protection and Privacy Law
Uganda, which is known to be the “most secure cyberspace in Africa”, signed their own Data Protection and Privacy Bill into law in February 2019. The aim of this law is to protect the personal identifiable information (PII) of Uganda citizens.
While there are various data privacy laws around the world, some of the countries considered to have the heaviest data protection laws include Austria, Australia, Belgium, Canada, France, Hong Kong, Ireland, Italy, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, United Kingdom and the United States.
Your IT asset disposition company should be able to offer expertise on which regulations and laws pertain to you depending on where you are located, and the facility nearest you that will process your material.
For more information on how to build a successful global IT asset disposition program view our white paper.