Tuesday, 24 February 2015

eReco – Your Get of Jail free card

Who is responsible for your data?

It’s a good question. Ultimately it is a business responsibility regulated by law under the data protection act and once the EU gets around to it the responsibility will sit firmly with the directors of the business. Even if they delegate it to someone else, they can be sued, fined, jailed or even decapitated if Genghis Khan gets his hands on them.

And that is in addition to fines levied against the business.

I think that focuses the mind quite nicely. Once this becomes law (and we are past the expected ratification date, so any day now Mr Farage!) apathy is going to get quite dangerous, and once the directors are firmly in the firing line things tend to get done.

But what things?

Obviously, here in eReco land, we are going to focus on disposing of redundant IT equipment because that is our wont. There are lots of other things to do but we aren’t directly involved in that so yah boo sucks, sort it out yourselves.

So, you have a computer to get rid of and it has a hard drive, what should you do?

In simple terms, you have two different legal responsibilities.

Firstly to dispose of the equipment according to WEEE regulations. Regardless of what you call it, or any residual value, this is waste and whatever you do, you need to think about waste transfer notes and how the item is going to get to a WEEE regulated recycling facility. If you do not get a WTN you are breaking the law and if your equipment does not go to a WEEE facility and ends up somewhere naughty, you have also broken the law. So, if you give it to someone to dispose of for you, make sure you get the right paperwork and be sure they are going to do things properly. If not, those directors are in the firing line.

Secondly, you are responsible for any data on any hard drive disposed of. There is no limit to that responsibility. You remain responsible. Even if eReco collect it from you, the data is still ultimately your responsibility. You would have to prove that you have engaged a data secure service provider and that their processes met your duty of care to protect your data.

If something went wrong and there was a data breach, you would still be in hot water, because the data remains yours, and you would need to prove to Genghis Khan, or our friendly neighbourhood ICO Chris Graham, that you acted responsibly.

Now all eReco customers will have no problem proving this. We provide Waste Transfer Notes, asset lists and certificates of data destruction, and if something goes wrong we have liability insurance up to £10,000,000. Our collections are secure, with security cleared personnel, and our facility down here in East Grinstead is also secure. This is certified and checked, without warning, by ADISA, and we are also approved by DIPCOG to work in the MoD/Government space.

All of which the truly responsible client will have checked out in advance. This is the important stuff you see...you need to show due diligence. And then do you know what actually keeps the MD out of choky? Yes that’s right, it’s the boring old paperwork!

Say your data ends up on eBay. This happens. A lot. So no pooh poohing me please. As General Melchet said in Blackadder 4, ‘did he pooh pooh you Blackadder?” I won’t have it. This is important stuff so no giggling at the back.

Once the data breach is crystal clear, you are in deep doggy doo’s. Genghis, however he finds out about it (and he will, because legally, if he doesn’t find out any other way, you have to tell him or face even graver consequences) will start asking some difficult questions. And the boring old paperwork which everyone takes for granted and does not give too much importance, becomes absolutely crucial.

First things first, Genghis would want to see what you asked us to collect. However you do it, by email or by filling in one of our forms, we keep a record of what you asked us to collect. This is important in a minute, so tuck it away at the back of your mind. Then we give you an estimate, and you accept this estimate, and we confirm a collection date.

On said date, we rock up and get the stuff. We bring with us a Waste Transfer note, which says we collected this sort of stuff from this address on said date.  Everyone signs and you get a copy. We also have consignment notes. This details the sort of materials being transported, whether they are hazardous or not, and gives full addresses and licenses for both parties. Not very interesting but all legal proof and approval for what we are doing.

Then we bring the stuff back here. We track it in, noting any serial numbers but also adding an identity number of our own, so that we always know where it is in our system. From this we produce an asset list. It should match the list you asked us to collect, of course. If you asked us to collect 10 PC’s we tell you that we have collected 10 PC’s and the serial numbers are XXXXXX. You now have a comprehensive audit trail of disposal from your request to us, through transportation by registered and licensed supplier to arrival at a registered, accredited and approved facility. In other words, you have proof of what you have done and Genghis loosens his grip on your throat, for the time being at any rate.

But before we move on, a reality check. I have said in previous blogs and always say to clients on the phone, tell us if you have more to collect than you have said. 

Partly this is because we want to charge you more. I am just like that, I like to get paid. Partly it is because I know what the vehicle can take in terms of weight and quantity of stuff, and we don’t want to overload it. But mostly because it is dangerous if you add something without telling us. Because the audit trail is potentially broken. In our case, we would pick it up when we compile our asset list, but legally PC XXX has magically left your care and arrived with us. You have not asked us to take it. What if you do not even know it is gone? Genghis might well slap you around a bit because of things like that.

However, let’s leave that side of things and get back to business. So we have your stuff and you have an audit trail which will be added to when we erase your hard drives and give you a certificate to prove we did it. At this point you are pretty much done. You can kneel before Genghis, carefully watching the scimitar in his hand and say ‘it was them, Guv’ if anything goes Pete Tong. We would end up in the dock together, because it’s still your data, but having employed a certified supplier and ticked all the paperwork boxes, it would take a very unreasonable Genghis to punish you, and our insurance would hopefully cough up.

Please note, this is all hypothetical, we have never had a problem and, touch wood, never will. We do things right. And going back to a well-worn theme of this blog, this is why we charge for our services. Even if we do agree a kit covers costs deal, which we do if you are recycling gold plated laptops, these costs are deducted before we share any revenue with anyone. Because we think this is the really important stuff. It’s the stuff that keeps your MD out of jail.

And you may think that is taking things a bit far. But take a look at the ICO’s hall of shame when you have a moment and imagine those breaches when director responsibility comes in. It is very tempting to look at IT equipment recycling as a cost, but I have always maintained that it is risk management.

Do it right, for your director’s sake.