Think of IT asset disposition regulatory compliance and the chances are that four letters immediately spring to mind, GDPR – The General Data Protection Regulation.
That’s completely understandable, the threats posed by cyber-attackers have grown exponentially in both scale and sophistication in recent years. According to official statistics from the UK government, in the year ending March 2022, there were an estimated 1.6 million incidents in England and Wales. 79% were related to unauthorised access to personal information. The increased threat level has been recognised globally with 137 out of 194 countries now having enacted data privacy legislation. *
Technological advancements have extensively increased the attack surface. Artificial intelligence (AI) solutions have become more affordable and chatbots, like ChatGPT, have rapidly gained popularity. At the same time, more sustainable technology, such as edge computing networks, which that expanding to facilitate 5G. ^
Needless to say that all of our digital activity is enabled by our devices, including the now vast Internet of Things (IoT). As we use it daily, we are hungry for the latest, fastest tech; as businesses, we regularly upgrade or sell redundant IT assets to maximise productivity and boost competitiveness.
Your data protection compliance must remain central; GDPR still applies even after the UK left the EU. However, when it comes to secure IT asset disposal, compliance isn’t solely about the need to protect company data at all costs.
When it comes to disposing of your end-of-life IT assets, CISOs and CIOs must keep up to date with other forms of ITAD regulatory compliance. Not doing so carries significant risks itself, and let’s face it, there are plenty of threats out there without adding more.
Failure to meet your obligations under UK data privacy law or environmental obligations can result in significant fines, penalties and company downtime – not to mention damage to your brand’s reputation that you may not be able to recover from. Depending on your specific sector, you might also have industry-specific regulatory legislations or international trading standards to incorporate. With so many directives to think about, how do you ensure regulatory compliance?
Essential ITAD regulatory compliance for UK businesses.
GDPR and the Data Protection Act 2018.
Empowering individuals to take greater control of their personal information, the new is the UK’s implementation of GDPR – the world’s strictest data privacy and security law.
Its purpose is to control how personal information is used in organisations, businesses or the government. The it sets out relate to the fair, transparent and lawful processing and retention of data. It incorporates stronger legal protection for the most sensitive data, such as race and ethnicity. Crucially, the act demands that it is handled securely and that organisations protect their data against unlawful or unauthorised processing, access, loss, destruction or damage.
Before the commencement of the GDPR, there was no substantial or detailed guidance on how companies should process their data – More importantly, little incentive to invest vast sums to meet customer data governance challenges, particularly for large enterprises. Before it was replaced in May 2018, under the outdated Data Protection Act 1998, the maximum non-compliance fine that could be issued by the Information Commissioner’s Office () for non-compliance was £500,000. + A far cry from today’s penalties…
Under GDPR, the maximum fine is €20 million (approximately £18 million) or 4% of annual global turnover – whichever figure is higher.
Waste Electrical and Electronic Equipment Directive 2013 (WEEE).
With the e-waste crisis literally mounting, the EU lead the way when it came to the reduction of electrical and electronic waste; preventing this from incineration or ending up in landfill. The Waste Electrical and Electronic Equipment Directive 2013 () became law in the EU and the UK on the 1st January 2014, replacing the former 2006 directive. **
The regulation seeks to recover perfectly serviceable components contained in our redundant IT assets with its reduce, reuse recycle ethos. In the UK, manufacturers must join and report to the Environment Agencies compliance scheme and distributors/retailers should offer recycling schemes and educate their customers on what to do with WEEE assets.
So, what is classed as WEEE waste? You’re bound to have noticed that little crossed-out wheelie-bin logo. It appears on any electrical and electronic equipment with a plug or battery – everything ranging from tools, toys, toothbrushes and course, our computers and mobile devices.
UK companies must also adhere to their WEEE directive compliance obligations when storing, collecting, recycling and discarding WEEE separately from other waste. Accurate records need to be kept of when, where and how it was disposed of in an ethical, responsible matter. Failing to comply could result in prosecution and a fine of up to £5,000 at a magistrates’ court, or if deemed serious enough, an unlimited fine from the Crown Court. ++
Environmental Protection Act 1990.
The Environmental Protection Act introduced new legal responsibilities for improved waste management systems preventing pollution of land, air and water. You might not immediately associate this with e-waste disposal regulations; however, it demands that all hazardous materials are handled properly; and our devices contain substances that are harmful to human health and the environment.
Although it has been banned now, mercury, proven to affect our brains, was contained in any device with a backlit screen – many of which are still in use. The world’s landfill is full of lead, cadmium, arsenic, and millions of batteries. Not to mention the indefinitely recyclable precious metals contained in circuit boards, which themselves break down into micro-fragments. These toxins and chemicals will end up in our soils and water systems.
Under EPA, businesses have a duty of care with any waste they generate. It should be controlled, managed appropriately and importantly documented. ^^ Non-compliance can result in penalties of up to £20,000.
How can your ITAD partner guarantee your legal compliance?
Whilst the importance of data destruction remains vital, it’s crucial to note that you don’t have to suffer a data breach to fall foul of these laws. Non-compliance can be discovered if your organisation is audited.
IT asset disposition services will deliver secure data erasure, providing an IT asset disposal accreditation certificate for each and every piece of redundant IT equipment. This demonstrates your compliance with an auditable ITAD chain of custody.
Legislation tends to be detailed and complex, and as such, it can be tricky to stay on top of or keep track of changes. IT asset disposal companies live and breathe the regulations on a daily basis, and are also regulated by the same directives. For highly regulated industries, this includes extensive working knowledge of financial industry ITAD and healthcare industry ITAD.
It is important to be familiar with all local, national and industry regulations, but depending on how you trade you may need to meet further obligations.
GDPR applies to any company that processes PII data for any EU and UK citizen, no matter where their business is located, globally. Similarly, the U.S. law, The Cybersecurity Information Sharing Act (CISA) can have implications for UK organisations that operate internationally or partner with US companies.
In addition to our legislative obligations, morally, we have a responsibility to do all we can to contribute to the circular economy and extend the lifetime value of our business IT assets. By choosing more sustainable data erasure over asset destruction, upgrading existing devices or the procurement of refurbished IT can prevent unnecessary waste, the negative impact of virgin mining and reduces greenhouse gas emissions. At the same time, this delivers substantial cost-savings and improved public perception for your organisation. Whilst not a direct regulation, metrics such as ESG ratings, which include social responsibility standards have been rapidly increasing in importance to consumers and associates alike.
It is natural to think of data privacy laws when thinking of the ITAD regulatory requirements for businesses. And these are vital. However, as the planet warms and the United Nations rallies its nation-states to commit to urgent mitigative action, it is also essential to adhere to waste and environmental directives. You will also need to consider your specific industry’s regulations.
It can seem like a legislative minefield and be difficult to keep on top of judicial changes, especially when trading internationally. ITAD services can work with you to form a thorough IT asset disposal policy, which covers all directives that apply to your organisation.
Keeping you up to date with any legislative changes that affect your industry and advising on environmentally friendly ITAD best practices, a circular-minded ITAD partner will help you boost your organisation’s sustainable operations whilst guaranteeing all legal compliance obligations.
*UN Conference on Trade and Development, ^Experian, +Privacy Compliance Hub, **HSE, ^^Environmental Protection Act. Section 34. ++Gov.uk
tier1 Group is the UK’s leading circular, environmentally friendly ITAD service. We make it our business to know ITAD regulatory compliance like the back of our hands, providing you with complete peace of mind with our guaranteed, auditable secure data erasure services. After all, we are only compliant, if you are.
With our ‘Reduce, Reuse, Recycle’ philosophy, ESG and social impact at our core, we promote the refurbishment, resale and reuse of business technology, wherever possible.
To find out more about our data wiping services, refurbishment and resale platforms – contact our friendly teams on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com
The Information Commissioners Office, UK Government, legislation.co.uk, Compucycle, Sims Lifecycle, Experian, Tech Monitor, United Nations Conference on Trade and Development, Lifespan Technology, Bitraser, Privacy Compliance Hub, Netlawman, DeltaNet, Health and Safety Executive, IT Governance,