Risk Mitigation may be on the board agenda, but failure to understand the extent and damage of a data breach due to weak “Chain of Custody” processes is endemic. It won’t be long before a business is found guilty of having irresponsibly disposed of its IT equipment and sensitive data assets. The Information Commissioner’s Office is primed and ready to make a high-profile example of a data breach by issuing hefty penalties it has available under the General Data Protection Regulations (GDPR).
Today the ICO can issue a maximum penalty of £500,000 for a data breach. From May 2018, the maximum penalty will rise to 4% of global turnover or €20 million, whichever is greater.
The new penalties, combined with brand and reputational damage, should be a red flag to all businesses to get their house in order by reviewing their data security processes and making sure that all traces of data are destroyed and that they are compliant with the law.
Are your data disposal partners certified?
IT Asset Disposal companies (ITADs) are often the first port of call for end of life data asset recycling – and this have proven to be a cost-effective strategy so far. However, the quality and longevity of these companies can vary greatly. It is important to be aware that the business commissioning the ITAD remains legally responsible for data security and must be seen to be adopting best practice when it comes to selecting a partner. So how can businesses be sure that they are using a reputable ITAD partner? Well, there are two important things to look for when considering potential ITAD partners:
- Is the company Asset Disposal & Information Security Alliance (ADISA) certified? ADISA only certifies ITADs that comply with its multi-layered audit process. There are just 47 ADISA certified companies in the UK and approximately 400 ITADs.
- Has the ITAD got the relevant certification in security standards? Compliance to security standards, including ISO 27001, should be an essential requirement for any reputable ITAD.
Get control of your processes
Under GDPR, data controllers and processors (those disposing of the data) will be jointly responsible for destroying data and will be jointly liable for any penalties in the event of a data breach. Effective contracts must be in place between a business and selected ITADs under GDPR, otherwise the data controller will be held to account by the ICO for not enforcing control and for failing to select a credible, compliant supplier. Opting for a ‘fly by night’ ITAD because they offer a good deal, could be a very costly mistake further down the line.
GDPR is forcing organisations to adopt a far more proactive approach to managing and safeguarding data, and that requires improved data management processes, including retention, redaction and destruction.
Unless an organisation can control and report which items have reached end of life, how that process was managed, by whom, and verify that data erasure has taken place – compliance to the new regulations will not be achieved. Device by device lifecycle reporting is critical, as is a robust chain of custody – backed up by excellent data asset disposal records to both achieve and demonstrate GDPR compliance.
To find out more how you can prepare your business for GDPR and where the weak link lies – download our eBook: Data Destruction: The weak link in data security.