Data Privacy Regulations You Need to Know During ITAD

Posted by on March 27, 2019

More than 100 countries around the world have enacted data protection regulations to help control the access and use of personal and private data. These global efforts to help protect personal data and prevent data breaches, have been in response to the large increase in data incidents that have evolved over the past few years. Data breaches are happening more frequently, with the first breach of 2019 occurring less than 24 hours into the New Year.

Experian disclosed data breach trends from the previous year in a recent report forecasting 2019 trends. Trends included biometric hacking, skimming, disabling wireless communications, cloud vendor data breaches and emerging risks for the online gaming community. The common thread woven into each of these trends, is the fact that they are all facilitated through electronic devices. Devices we use every day and upgrade regularly.

Implementing a comprehensive disposal plan for all electronics will always be necessary to ensure both consumers and businesses of data protection. A company’s IT asset disposition (ITAD) plan must consider protection against various types of threats, as well as compliance with existing regulations. It is important to be familiar with all local and regional regulations, but there are some that may affect you, no matter where you, or your business, is located.


Here is a list of some regulations affecting global IT asset disposition today.

General Data Protection Regulation (GDPR)

In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR is a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or 4 percent of global revenue.

Sector-Specific U.S. National Privacy or Data Security Laws

In the United States, there is a patchwork of different legislation for different industries including:

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects healthcare patient data,
  • The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) which are directed at financial institutions,
  • The Payment Card Industry Data Security Standard (PCI DSS) which applies to companies who accept credit card payments, and
  • The Family Educational Rights and Privacy Act (FERPA) legislation that protects the privacy of students by ensuring their education records are protected.

California is working to pass a digital privacy law that is being communicated as “one of the most significant regulations overseeing the data-collection practices of technology companies in the United States.”

This privacy law will provide consumers with the right to know what information companies might be collecting about them and why, and will require companies to remove and dispose of that data per consumer request. This new legislation is expected to go into effect in January of 2020.

Australia Privacy Act

Australia has an Australian Privacy Act that requires individuals be notified if their personal information was involved in a data breach. Last February 2018, the Australian government established a privacy amendment titled the Notifiable Data Breaches Act 2017. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information. 

Uganda Data Protection and Privacy Law

Uganda, which is known to be the “most secure cyberspace in Africa”, recently signed their own Data Protection and Privacy Bill into law in February 2019. The aim of this law is to protect the personal identifiable information (PII) of Uganda citizens.

While there are various data privacy laws around the world, some of the countries considered to have the heaviest data protection laws include Austria, Australia, Belgium, Canada, France, Hong Kong, Ireland, Italy, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, United Kingdom and the United States.

Your IT asset disposition company should be able to offer expertise on which regulations and laws pertain to you depending on where you are located, and the facility nearest you that will process your material.

For more information on how to build a successful global IT asset disposition program view our white paper.

[Webinar] IT Asset Disposition & GDPR: What you Need to Know