Insolvency Practitioners (IPs) could face fines for non-deletion and management of data belonging to the insolvent companies they act for, according to an IT asset disposal company. As IPs look to sell assets belonging to these companies, unless the data has been permanently removed from the technology hardware the IPs could be legally exposed under general data protection rules, the GDPR, says DSA Connect.
The company warns that some IT companies may claim that they can properly delete data from devices, but it says it has seen cases where this has not been done properly, leaving the insolvency firms and organisations that use them potentially legally exposed. DSA Connect says that it’s aware of at least one financial institution that recently had to inform clients that an IT Asset Disposal (ITAD) vendor’s mistakes could have left personal information susceptible to misuse. Some clients are allegedly taking legal action against the investment firm.
Harry Benham, Chairman of DSA Connect said: “The coronavirus crisis is putting thousands of businesses under huge stress, and the number that went into insolvency between March 10 and April 9 was 50 per cent higher than the same period last year (according to Humphries Kerstetter analysis of insolvencies listed on London Gazette, the UK public record for insolvencies). There are also over 500,000 UK businesses in serious financial distress, which is around 7pc higher than last year (according to the corporate recovery and forensic accounting company Begbies Traynor, a record 527,000 business were in significant financial distress at the end of June).
“All of this means that IPs are increasingly busy, this growth in insolvencies also increases the risk of personal data being left on electronic devices that are being sold as part of the liquidation of the assets of the companies that they act for. Legislation around how personal data is stored and used in the UK has never been more robust, as GDPR clearly and firmly puts the responsibility on the owner (or their agent) for any personal data held on its electronic devices. Clearly, most IPs and their contractors are very well versed in dealing with the disposal of laptops, PC’s, servers etc., but increasingly data is being captured on devices such as telephone systems, smartphones, TVs, photocopiers, point of sale machines and the like. So, the risk of IPs falling foul of GDPR is heightened, as the types and volumes of electronic devices which retain data grows. The increased risk of items being sold containing data could potentially expose the IP to breaches in GDPR which could result in fines and/or compensation, together with brand and reputational damage.
“Unfortunately, there are a number of IT disposal companies in the market place claiming to legally and professionally dispose of data on devices, but we have found that the processes some of them use are flawed and that the data they claim to have deleted can be retrieved. IPs can greatly reduce and even avoid the risk of the accelerating GDPR danger, by selecting an IT disposal partner who is qualified, with the industry accreditations and using tools certified by CESG and approved by the UK National Cyber Security Centre (NCSC).”
About DSA Connect
The firm provides an IT asset disposal service utilising a methodology created with the Ministry of Defence. Its IT end-of-life service allows for the removal and data eradication from IT equipment and electronic devices by using tools certified by CESG and approved by the UK National Cyber Security Centre (NCSC). Also, depending on the quantity and type of equipment for disposal, the company offers a rebate of up to 80pc on all re-saleable assets. The company was set up in 2011 to partner the Ministry of Defence in developing the MoD’s asset disposal service.
