EU GDPR – EU General Data Protection Regulations after Brexit
Data controllers and Data processors now have shared responsibility for Data Protection
Even after you have transferred the ownership of your IT equipment during the end of life cycle, you cannot completely transfer that responsibility of protecting the data held on those devices. Choosing a third party data processing who will share that responsibility is an important decision and one which should be given serious consideration, such as:
Which Software overwriting tools and processes are used
Is it CESG approved
Do they have cyber-privacy insurance
Are they ADISA certifed
Information security (Principle 7)
There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
In brief – what does the Data Protection Act say about information security?
The Data Protection Act says that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.