Philip McMichael, Managing Director of AMI, takes us through the area of GDPR compliance that may have slipped through the cracks.
With GDPR set to come into force in less than six months’ time, the majority of companies are well underway on their compliance journeys. IT managers and other stakeholders are being kept extremely busy completing a myriad of tasks that will see them in good stead when the legislation enters into law on 25 May, 2018, from compiling inventories of data in their organisation’s possession to communicating the new requirements to employees and partners and establishing whether or not they need to appoint a Data Protection Officer.
IT retirement – a blind spot for Irish organisations
However, despite having the best of intentions, there is one area that many companies have overlooked in their preparations, which could result in them being found non-compliant to GDPR and leave them exposed to the full brunt of the fines – €20 million or 4% of global turnover, depending on which is greater.
While the majority of businesses are aware of the steps that they need to take to ensure that their live environments and ongoing processes conform to the regulation, fewer are cognisant of the need to ensure secure retirement of end-of-life IT assets. Irish businesses that haven’t already done so need to act now to implement established processes to manage this in time for May’s deadline.
Old desktops and laptops can contain large amounts of personal information but, despite this, numerous organisations have not implemented official end-of-life processes to ensure that this data is wiped prior to the equipment being resold or recycled.
To ensure that their IT equipment is securely processed at the end-of-life stage and prevent data falling into the hands of cybercriminals, companies need to work with a third-party IT retirement specialist. Some organisations may be tempted to handle the data destruction process themselves but should remember that safely and securely disposing of end-of-life IT equipment is a complicated procedure that requires a number of technical skills and advanced tools to carry out. Accredited third-party IT retirement specialists can guarantee complete data erasure and minimise the risk of data leaks. The cost for companies that attempt, and fail, to carry out this process themselves could be enormous, especially once GDPR comes into force.
Formal confirmation essential
Those who do work with a third-party IT retirement specialist must exercise due diligence and insist on the provision of a contract at the beginning of the engagement, as well as formal confirmation that their data has been erased. Under GDPR, handing IT assets off to a third party without receipt of a contract or confirmation of data destruction constitutes a data breach. This means that, despite their best efforts, companies could still find themselves liable to substantial fines.
AMI recently conducted a survey which found that almost one third of Irish organisations that use third-party IT retirement companies may be exposed to fines as they do not receive formal confirmation from their providers that their data has been completely erased. These organisations could face grave financial repercussions in the event of a breach or related cyber incident. And if the financial repercussions seem extreme, the damage to a company’s reputation in the event of an actual breach could prove to be even more insurmountable.
Limited time available
There is limited time available to Irish organisations to close loopholes in their information security strategies that could leave them vulnerable to sanctions. Businesses need to establish set processes to manage the disposal of old IT equipment and work with a specialist third-party service provider to effectively manage data destruction. Working with a third-party specialist can have other advantages, too, such as enabling companies to identify and recover the value of their old IT assets.
Recovering the value of retired IT assets is a critical part of managing the disposal of old IT equipment and companies should build it in to their strategy from the outset. Those who do will tap into a lucrative new revenue stream for their organisation.
If companies are aware of the potential vulnerabilities stemming from failing to correctly dispose of old IT equipment then they can identify a clear path towards compliance. The next few months provide a golden window for companies to get all aspects of their information security strategies in order, including disposing of old IT equipment. However, those organisations who fail to act now to secure disposal of their old IT equipment risk putting the future of their business in jeopardy.
AMI provides a range of services to assist organisations with the secure retirement of their end-of-life IT, mobile and electrical equipment. Established in 2001, the company has grown to become one of the leading specialists supporting a diverse array of customers within both the public and private sectors in the UK and Ireland in finance, health, telecoms, and central and local government agencies.