Current Filter: Security>>>>>Feature>

   

The headline grabber, Mellings states, is the increase of fines to potentially 4% of global turnover. "As data regulators have been relatively slow imposing financial penalties, some may view this as just a veiled threat, but to do so misses a potentially greater financial threat emerging," he comments. "The first class action lawsuit is taking place in the UK [several have already happened in the US] and the potential impact of a pay-out PER SUBJECT of a breached data set means that just losing a USB stick could be extremely significant. Quoted figures put the cost of a single breached record at between $200 and $250, so the loss of even a small amount of personal data could expose your company to claims entering the millions, rather than just a few thousand. And, let's face it, lawyers are more voracious than most of the regulators!"

WHERE TO START?
Enlightened companies seeking more than basic compliance are struggling to understand where to start, he adds. "Data Protection assessments like the DPG Pathfinder, which includes all areas impacting on data, are perhaps revolutionary in this field and, to a lesser degree, the ISO 27000 family can offer some guidance; but many organisations are struggling to see how to stem the tide of potential data breaches.

Within the GDPR, this is addressed via the 'privacy by design' concept. "One example of regulation looking to expand the scope of data protection is the change in relationship between data controller and data processor. Under the new regulation, it will be ILLEGAL for either party to work together without a contract in place. Within the process of ICT disposal, the organisations that collect and sanitise those assets are data processors, yet a recent FOI of UK police forces showed that approximately 50% currently have no contracts in place, effectively breaking the law. So, if our law enforcement flouts the law, do we think this new legislation will be effective?" Mellings asks.

Financial liability is a strong motivator, but also within the legislation the spectre of mandatory notification will see organisations change their position. "Within the asset disposal process, it could be posited that, unless an organisation has a full equipment list of assets to be disposed of, has verifiable chain and transfer of custody throughout the process and, finally, contractually engages with a proven service provider, then this entire process could be classed as breach," he points out.

"So, as organisations mobilise themselves to firstly understand their exposure, then look to reduce that exposure, there is some good news. The ADISA 2016 Asset Recovery Standard includes requirements that ensure, where their customers permit, ADISA members conduct their transactions in accordance with the legislation, protecting themselves from regulatory action and, more importantly, help their beleaguered customers find one data protection process that can smoothly position them in a position compliant to the new regulation."

PROFOUND RAMIFICATIONS
The GDPR is understandably a topic of intense discussion and review in the ITAD (IT Asset Disposition) world, says Dr Anand Narasimhan, managing director, Sims Recycling Solutions, EU & India. "The legal and financial ramifications of the law will be profound when it takes effect in 2018. But the idea at its core, that 'everyone has the right to protection of personal data concerning him or her', is one that has always been central to the ITAD industry's best practice.

"To be fully compliant with GDPR, ITAD providers must have in place both technical and organisational measures that ensure personal data is completely secure. Fortunately, best-in-class ITAD providers already work to these highest possible standards," he points out. "Industry accreditations (such as the ADISA ITAD Standard) provide assurances that personal and corporate data is securely managed."

ISO 270001 confirms that a company works within a suitable framework for managing data security risk, regularly reviewing and improving processes, adds Narasimhan. "CAS(S), the CESG's industry-specific standard, ensures that companies are qualified to manage the most sensitive data to the highest standards. These certifications are therefore useful indicators that an ITAD provider complies with critical elements of GDRP regulations."

ORGANISATIONAL MANDATES
"ITAD providers need to ensure that their internal organisational systems are up to the same unassailable standards as their technical ones. These organisational mandates will help to further mitigate the risk of a data breach and keep ITAD providers compliant with GDRP. Happily, some of these measures are refreshingly straightforward."

Page   1  2