By this point you’re probably aware of the new GDPR (General Data Protection Regulation) that has been implemented, but a surprising number of people and businesses aren’t quite sure how it affects them, and how they could easily fall victim to the pretty serious sanctions that follow for anyone who doesn’t abide by the new rules.
In a nutshell, how you deal with the data you hold or process on behalf of EU citizens has become incredibly important, and how you dispose of such data can literally make or break your company in many cases.
Whenever you decide to discard or recycle a computer and/or hard drive you run the risk of the data recorded on that device falling into the wrong hands. Now, more than ever before, it’s vital that you take the proper steps to ensure that you have followed proper disposal protocol.
Whenever there has been deemed to be a data leak or an instance of non-compliance there are a few factors that will determine the sanctions:
The nature of the infringement
The number of people who have been affected, the damage suffered, the duration of the infringement in question and the purpose of the data processing.
Was the infringement intentional? Or simply a case of neglect?
What action was taken to mitigate the damage to the data subjects?
Does the company have any previous infringements of this kind? These can be infractions under the Data Protection directive, not just the GDPR.
Level of cooperation
The level of cooperation with the regulating authority to remedy the situation.
What kind of technical and organisational precautions and preparation had the company taken before the breach to prevent non-compliance and assist with data protection?
That final point is key.
What preventative measures were taken?
For example, did the company in question use a recognised data sanitisation company? Being able to show that you have used the proper technical and organisational precautions can work in your favour when it comes to deciding the punishment.
The punishment issued depends on the most serious infringement, as this is the yardstick that authorities will use to determine what punishment should be administered.
At the lower level, this is a fine of up to €10 million or 2% of the worldwide annual revenue posted in the previous financial year by the offender, whichever is greater. At the upper level, it’s a fine of up to €20 million or 4% of the worldwide annual revenue posted.
As you can see, the penalties are incredibly heavy, so now more than ever is the time for companies who handle data to start looking at how they deal with hard drive and data destruction and recycling.