What is GDPR?
GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive (DPD) and The UK Data Protection Act 1998. Regardless of the UK leaving the European Union, the regulation will come into force on 25th May 2018.
It involves the protection of personal data and the rights of individuals – which means that the way all data and information is managed will change, with additional requirements in regards to data handling and storage.
Under the current Data Protection Act there is already a duty of care to ensure that all data is kept secure. With the GDPR coming into effect, there will be an increased responsibility to ensure that this information, whatever form it’s kept in, (e.g. paper files, electronic files, computer hardware) is managed in the right way to comply with this new regulation.
Any company deemed non-compliant will face hefty fines.
What is considered data?
Any data/information related to an individual that can be used directly or indirectly to identify the person is considered personal information. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
Significant risk to data controllers
Under the GDPR the burden for personal data protection lies primarily with data ‘controllers’ or those entities that ‘own’ personal data and make decisions over how it’s processed – a significant change from the current UK Data Protection Act.
Controllers will be responsible for compliance with GDPR’s processing rules and will be held liable even when another organisation or data ‘processor’ e.g. an IT recycling partner is contracted to carry out these activities. This is not to say that processors are off the hook. Processors have additional responsibilities under GDPR and face greater liability for non-compliance or where they act beyond the scope of authority agreed with the controller.
Nonetheless, increased liabilities on controllers mean it is crucial for data owners to review their external agreements with those third-party suppliers that have access to personal data to ensure they are GDPR compliant.
Under the GDPR it will also be a criminal offence to choose an Data Processor/IT recycling partner who doesn’t hold the minimum competencies and accreditations for IT asset disposal (e.g. ISO 27001). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.
Implementing risk measures – contracts
Whenever a data processor/IT recycling partner is used, a written contract needs to be in place. The contract is important so that both parties understand their responsibilities and liabilities.
Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. As part of the new regulation, it will be illegal to not have a formal contract/Service Level Agreement (SLA) in place with your chosen Data processor/IT recycling partner.
Choosing the right IT recycler partner/data processor
Working with an accredited IT recycler partner/data processor will ensure that any end-of-life data bearing equipment is disposed of and destroyed in a safe, secure and compliant way. These partners will also ensure there’s a legally binding contract or SLA in place to determine the formal processes involved.
Recycle IT 4U Ltd, putting your mind to rest
Established in 2004, Recycle IT 4U Ltd is the trusted service provider to 25 UK Local Authorities. Our procedures and systems have been independently audited by:
- Telford & Wrekin Council
- Solihull Metropolitan Borough Council
- Shropshire Council
- University of Wolverhampton
We are accredited with the following industry standards
- ISO 27001 Information Security Management Standard
- ISO 14001 Environmental Management Standard
- ISO 9001 Quality Management Standard
We are registered with the Environment Agency and hold the following licenses:
- T11 Environmental Permit Exemption
- Waste Carrier’s/Brokers License
We are also registered with the Information Commissioner’s Office.
Please be advised:
Whilst we have taken care in compiling these notes, Recycle IT 4U cannot be held responsible for any omissions, errors or the impact of legislative changes. These notes are not a substitute for specialist legal advice.