Disposing of old IT equipment and the GDPR implications

Complying with GDPR is a requirement of every single business, large or small, across the UK. The comprehensive set of regulations set out to ensure that businesses were more responsible with how they were storing and managing customers information. And a part of the compliance requirements of GDPR is the responsible disposal of IT equipment, which of course could have customers information on it. Which requires an ITAD policy being set up.

Set up your ITAD policy

The importance of following the correct disposal process results in the trove of the customer, and company information, being securely and permanently wiped off any storage devices on that particular piece of IT equipment. It’s for this reason that your business should have an ITAD (IT Asset Disposal) process in place that must be followed correctly.

Many businesses across the UK will outsource their ITAD duties to a third party. You should also have a written contract in place to confirm any relationship that you have with that third party. These outsourcing companies are known as Data Controllers if you are holding information concerning citizens from the EU.

Outline the ITAD process

Your ITAD processes should, in as much detail as possible, define your relationship with the third party vendor, and what the responsibilities are on both sides. It should, also for transparency reasons, state how customers data is going to be handled throughout the process and how its eventual and permanent demise will be carried out upon completion of the disposal process.

IT Disposal 

With so much resting on ensuring that your IT assets are securely disposed of, it’s equally important to ensure that you are choosing the right vendor to dispose of your business’s IT assets. Be sure to do your due diligence on any vendors, ensure that a contract is fully ratified and binding. At the same time, ensure that they hold all of the required industry qualifications. These include ISO 14001, the Waste Electrical and Electronic Equipment (WEEE) Directive and the Environmental Protection Act 1990.

Protect your business

You need your process to be as robust as possible because part of the purpose of introducing GDPR itself was to hand more power to citizens of the UK and the EU to know how their data is being handled and managed. It also heavily decreases the chance of any data breach stemming from your company, resulting in lawsuits and potentially business-ending fines.

If you want to know more about how your business can correctly set up and implement an ITAD policy within your business, get in touch today.