The EU’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the EU Data Protection Directive 1995. The regulation applies to all organizations that handle, store, or process the personal data of EU citizens. Because of this extra-territorial applicability, the GDPR will have a substantial impact on ITAD professionals worldwide.
The consequences of non-compliance
Data breaches are in the news frequently, and there have been several significant data breaches already this year.
According to the IBM Cost of Data Breach Study, the global average cost of a data breach increased from $3.85 million in 2020 to $4.24 million in 2021. The average cost of a breach per records is estimated at $161. Fines are often imposed on top of these costs, and companies are regularly fined by the U.S. Securities and Exchange Commission.
Now, in addition to the costs incurred as a result of a data breach, organizations that fail to comply with the GDPR face fines of up to 20,000,000 euro or 4% of annual global turnover, whichever is higher.
Key features of GDPR and the impact on ITAD
The GDPR is a sweeping effort to protect EU citizens from privacy and data breaches. Although it may seem daunting, many of the provisions of the GDPR are aligned with ITAD best practices. Below are 3 key features:
1. Increased territorial scope — The territorial scope of the now-defunct Data Protection Directive was ambiguous. Conflicting laws of member states and varied interpretations by the courts were common. The GDPR, in contrast, is unequivocal: it applies to any company that collects, stores or processes information of EU citizens, regardless of that company’s location.
2. Data vendor selection and oversight — The GDPR puts the responsibility of vetting processors, including ITAD service providers, squarely on controllers. Controllers are required to use processors that can sufficiently guarantee compliance with GDPR. The onus is on controllers to do their due diligence, but a successful partnership requires ITAD service providers to embrace transparency and work closely with controllers to ensure data security.
3. Shared liability for controllers and processors — Under GDPR, processors have shared liability with controllers for the first time. What once was a best practice is now a legal mandate, and processors must work closely with controllers to put data security measures in place and maintain records of all data-processing activities. Given the addition of liability for processors, ITAD professionals are well-advised to review their insurance policies to make sure they include cyber liability insurance and appropriate protections for third-party incident and damage limitation support. While ITAD insurance is essential, nothing replaces good data security processes and procedures.
Demonstrating GDPR compliance
To be compliant with GDPR you must not only have the technical capability to keep the personal data of EU citizens secure but also maintain written guidelines for compliance. As a controller, you will need to keep meticulous records of how data is managed, processed, stored, and destroyed.
When looking for an ITAD service provider, choose one that meets the industry’s most rigorous certification standards, including the Occupational Safety and Health (OSHA) and the International Organization for Standardization (ISO). To achieve these certifications, ITAD service providers must demonstrate regulatory compliance and maintain documented management systems and procedures.