GDPR came into force nearly seven months ago, with organisations within the EU now having to adhere to strict rules governing customer data. But when IT equipment reaches the end of its life and leaves an organisation, many companies are falling short.
Hardware, ranging from printers to photocopiers, may have personal data stored within it and many businesses may unknowingly be breaking GDPR rules because of what happens to this equipment when it is no longer in use.
According to a survey of 1,002 UK workers in full or part-time employment, carried out by Probrand.co.uk, a large proportion (44%) of businesses in the trades sector failed to wipe the data from IT equipment they disposed of in the two months following GDPR. The workers surveyed were from a wide range of trades including construction, plumbing and carpentry.
Not only does this leave data vulnerable to being stolen for identity theft and fraud, but by not wiping old IT equipment before it is thrown away, businesses could be at risk from penalties by failing to adhere to some of the GDPR rules.
The Information Commissioner’s Office (ICO) advises that businesses must have appropriate security in place to prevent the personal data from being accidentally or deliberately compromised when equipment is disposed of.
If personal data is compromised, even if hardware has left an organisation, it may still be liable to receive GDPR fines. This data, therefore, has to be deleted in a secure manner to ensure GDPR compliance.
Despite the ICO recommending that businesses have an “asset disposal strategy” in place to ensure GDPR compliance, the research also found that 71% of all UK businesses in the trades sector do not have an official process or protocol for disposing of obsolete IT equipment.
Businesses should identify the devices containing personal data, complete a full inventory of all equipment that is marked for disposal, and assign a specific member of staff to this task. However, the research found that 47% of workers in the trades industry would not even know who to approach within their company to correctly dispose of old or unusable equipment.
The top 5 industries most guilty of not clearing the memory of IT equipment before disposal in the months following GDPR were transportation, sales and marketing, manufacturing, utilities and retail.
Worryingly, the transportation businesses, many of which have customer and client addresses and contact information on their systems, was the worst offender, with 72% not wiping IT equipment.
Matt Royle, marketing director at Probrand.co.uk commented:
“Given the amount of publicity around GDPR it is arguably impossible to be unaware or misunderstand the basics of what is required for compliance. So, it is startling to discover just how many businesses are failing to both implement and follow some of the simplest data protection practices.”
“This is especially startling to see from businesses within the trades sector, where sensitive customer information including address details are handled all the time.”