Hero Subpage LRL (main)


08 Apr 2020

Data Protection Liability in the Waste Stream by Steve Mellings, Founder of ADISA.

Steve Mellings

When businesses intend to discard old IT infrastructure, regardless of the functionality of the device, then the activity is defined by the waste framework hierarchy as waste management. A debate regarding what “discard” means will clearly take more than this article to discuss, but there is one factor which persists regardless of the designation of waste or not, and that is the liability associated to any data on that infrastructure. This article explores the changes in data protection legislation and how that might impact on those operating within the waste stream.

The General Data Protection Regulation 2018 and UK Data Protection Act 2018 both impose clear requirements for companies who operate as data processors to comply with; but what is a data processor? In short, if you just collect redundant equipment for material recovery then you are NOT a data processor. However, if you provide any service on the data, whether overwriting or media destruction, then you are a Data Processor and Article 28 of the GDPR now comes into force, which is mandated for you to comply with.

Of course, all of this may be factually correct but do companies care? Whilst much hype surrounded GDPR, mainly from the doom and gloom merchants peddling fear, the reality is that there haven’t been hundreds of fines as yet; so has it had any impact? A key objective of GDPR has indeed been achieved as it has galvanized businesses to consider data more proactively than before and with a number of well publicised cases pending, such as British Airways, the boardroom is acutely aware of the implications of playing fast and loose with data. Part of this new approach to data protection has seen all areas of business operations being scrutinised more carefully than before, including what they do with their old equipment.

Your next question might be: “So we operate as a data processor, would we ever get caught?” That position has perhaps served companies well in the past, but what has changed is that the law now makes clear requirements for the data processor to comply with. Previously, the requirements focused only on the business releasing the assets (data controller), but within Article 28, the law obligates all data processors to behave in a specific way which effectively places the same level of liability on the service provider (data processor) as it does the data controller. So whilst previously the industry could’ve pointed at the clients and said it’s their responsibility, the GDPR make it very clear that the regulators now have the tools to address the shortcomings in both parties, bringing the industry squarely into the crosshairs.

But there is good news. It’s clear that businesses are struggling to deal with broader data protection requirements since GDPR, so everyone is in the same situation. However, within the asset retirement process the industry is a little bit ahead of the curve. ADISA has been helping, via certification, to identify and implement countermeasures to decrease risk and evidence compliance for nearly 10 years and so is well placed to understand the reality versus the strict letter of the law. We are working with the UK Information Commissioner’s Office on the business process of asset retirement (with the client) and asset recovery (the industry). It is clear that there is an appetite from the regulator to understand and to address a whole range of non-conformance in this area whilst also being pragmatic and realistic. The ADISA Asset Recovery Standard 7.0 is currently under evaluation to be approved under Article 42 of the GDPR as a recognised certification scheme for this business process and ADISA is also working with a steering group to write a Standard for those organisations who release assets, to ensure they meet their regulatory requirements. This new Standard for the data controllers themselves is much easier to adhere to as much of the risk is owned by the service providers and so ADISA expects to submit this Standard into the ICO for evaluation by summer 2020.

So if you are a company releasing assets or are concerned about your own liability when processing these assets, you can find more information at the ADISA Media Centre on YouTube or please come and find our stand at RWM Exhibition later on this year.

For more information visit here.