As the move to becoming GDPR compliant is being undertaken, it is imperative that your organization truly understand what these new privacy regulations include at a device level and how it will impact your IT business operations. The new security and privacy directives are meant to cover the entire life-cycle of the data under your management, too often the overlooked step in that process is the final stage of asset disposition. Frequently to save money or time, an IT department will choose to simply delete data from old devices, then contract with a disposal company to remove the devices. However, the process is much more complicated than that and deleting or re-formatting a device does not provide adequate protection. Every piece of your IT equipment, from computers and drives to phones and printers can house private information subject to GDPR standards. Understanding that decommissioned devices have the potential of being vulnerable to hacking even after they have been wiped means device security extends to the final level of device management and can play a key role in staying compliant.
What steps can you take, as an organization, to ensure that you are keeping your device data and IT assets secure to meet GDPR standards? First, be sure that your are completely up-to-speed on what compliance looks like for this stage of the asset management life-cycle so you can ask your vendor partners the right questions about their processes. To avoid some costly missteps, be sure that your asset disposal partner clearly understands that the end-of-life asset management for the device must be accounted for under GDPR Article 4(2) just as that same asset needs to be secure during the “in use’” phase of the life-cycle. Also, depending on the enterprise vertical, consideration should be given to the focused regulatory changes that have been instituted by entities like the Securities and Exchange Commission (SEC). There is a clear effort being made in new legislation to detail physical IT asset security measures due to the fact that device loss and theft are among the most common reasons for a security breach. We often find that while there is some effort put into cyber security for active devices in your environment, there is less consideration given for any information that might be left on equipment that is being upgraded or replaced. Consider bringing in an information technology asset disposition (ITAD) partner to fully manage this part of the asset life-cycle.
You might be asking: How is ITAD different than the way my company currently handles our device disposal? That is where true ITAD partners can be invaluable to your business IT processes. Certified and experienced ITAD providers safely dispose of IT assets using highly specific processes that can include proprietary protection programs, multi-level verification steps, detailed audit trails, and focused, secure asset disposal methods to reduce e-waste. Be sure that you choose to enter into a contract with an ITAD provider who is completely open about their services; also, work with them to assure that they have a clear understanding of your business IT needs. Any regulations or guides that are specific to your industry vertical or your enterprise policy should be part of the initial conversation with potential vendor partners. If they can’t offer the full suite of service that you are looking for, the vendor should be up-front and transparent about any 3rd party contractors that they use as partners for necessary work in any area of asset end-of-life.
In fact, AOTMP always recommends that your ITAD vendor have a proven track record of experience with the industry vertical in which you do business. They should be able to provide you with references and be open to having you discussing things like the environmental impact of using their services. Your team should plan on sending an RFQ to several reputable vendors, then utilize a robust RFP process to be sure to get the best services and pricing available. It is recommended to spend time prior to discussing your needs with potential vendors that you prioritize your organization’s asset disposition needs—such as whether it’s more important to have a vendor that provides free shipping insurance or that has fast processing times. Then while your team should consider some “standard services” that you can expect to see offered like data destruction, software harvesting, asset tracking, refurbishment/resale, recycling, destruction (grinding/shredding), don’t forget to ask about more specialized services. Things like employee background-checks, policy and behavior standards for anyone who will be trusted with your assets, written guarantees of zero toxic material being disposed into landfills, or certification of destruction being issued by some respected third-party standards organization (e.g. Sustainable Electronics Recycling International). It is important to remember that even if the equipment is to be re-sold or shredded, there should be concise documentation of the security of the device data and where/with whom the device ultimately ended up.
While it’s easy to forget unused or old devices after they’ve been replaced or upgraded, they can still be a concern when it comes to the security of data in your environment. ITAD can prove to be a significant contributor in your work to become or maintain GDPR compliance. The efficient management of the end-of-life phase for all your telecom equipment is a key part of a high-performing telecom and IT department. It is also a necessary step in overall performance if you are working toward transformation into a telecom Center of Excellence for your organization.