The compliance checklist for redundant IT equipment

The General Data Protection Regulation (GDPR), effective as of 25^th May 2018, will impact almost every business. It has been introduced in the UK through a new data protection bill, making businesses more accountable for the security of personal data.

This guide will take you through the steps you need to follow to ensure you avoid the wrath of the ICO (the UK’s information commissioner), keep customer data secure and remain compliant.

1. Audit your redundant assets

GDPR puts the onus on your organisation to manage and govern the personal data it holds. To demonstrate this (as is required under the accountability principle), your organisation needs to obtain a clear understanding of how, where and why data is used.

The findings of an audit can be used to demonstrate your compliance if your organisation ever does become the victim of a breach. It is essential that organisations know which devices contain personal data – which makes audits absolutely crucial to compliance, as it could prevent your firm from getting fined.

2. Include redundant IT assets in your data protection policies and procedures

Considering that business-critical information is housed on redundant IT assets, it makes sense to make reference to these devices in your data protection policies. The regulation is likely to instigate a data protection policy revisit, and you should do this with redundant IT assets in mind.

3. Create a specific policy for redundant IT

Ensuring your organisation securely erases and responsibly disposes of redundant IT assets is growing in importance. To appropriately safeguard data, it is important to have a documented framework for disposing of redundant equipment.

4. Consider wiping all redundant assets immediately

Despite the inclination to hide away redundant equipment in cupboards, and place it on the backburner, dawdling on this equipment can pose a compliance concern – especially on devices where the data contents are unknown.

If your redundant equipment is likely to contain high-impact personal data, or the contents is completely unknown, then you may be best served by immediately wiping these assets. Simply holding these devices in storage could make your organisation unable to comply with some of the new bill of rights:

• The right to rectify. Individuals can now request to alter their personal data held by your organisation, this includes records kept on redundant IT equipment.
• The right to be forgotten (erasure). If an individual withdraws their consent, then all of their personal data should be securely erased (providing there is no legal or commercial reason for keeping this data).
• The right of access. Individuals have the right to view all the personal data held by an organisation on them. If contact records are decentralised and spread across a variety of equipment, then accumulating this data will prove a challenge.

Selecting the right method of erasure is also vital. If you opt to wipe storage by software, then sure that it meets standards required by your industry and data sensitivity.

If you cannot effectively erase data through software, then shredding (or disintegration) may be a more appropriate option. It is only necessary for the hard drive to be shredded as the device may be suitable for reuse.

5. Act

Taking the necessary steps by reviewing the data contents of every redundant data-bearing device can be incredibly time-consuming. With the costs of failing to check this equipment so high, it is important you have the partners and resources you need to call upon.

We can provide a range of services that are fully compliant, with all relevant legislation impacting WEEE. If your organisation has redundant equipment with no strategy for disposal and secure reassure, get in touch with one of the Crown Workspace team.