Data Privacy Regulations You Need to Know During ITAD



128 out of 194 countries around the world have enacted legislation to secure the protection of data and privacy.  These global efforts to help protect personal data and prevent data breaches have been in response to the large increase in data incidents that have evolved over the past few years. Data breaches are happening more frequently with 2020 deemed by Risk Based Security as the “worst year on record” by Q2 in terms of total number of records exposed.

Experian disclosed data breach trends from the previous year in a recent report forecasting 2021 trends. Future trends for causes of data breach incidents include targeted attacks toward vaccine efforts, home networks, contact tracing applications, 5G network devices, and healthcare service technologies. The common thread woven into each of these trends, is the fact that they are all facilitated through electronic devices. Devices we use every day and upgrade regularly.

Implementing a comprehensive disposal plan for all electronics will always be necessary to ensure both consumers and businesses of data protection. A company’s IT asset disposition (ITAD) program must consider protection against various types of threats, as well as compliance with existing regulations. It is important to be familiar with all local and regional regulations, but there are some that may affect you, no matter where you, or your business, is located.


Here is a list of regulations affecting global IT asset disposition today.

General Data Protection Regulation (GDPR)

In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR was a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or 4 percent of global revenue.

Recently with Brexit, the UK decided to create their own version of the GDPR known as the UK GDPR. This new UK GDPR is still based on the same criteria of the Data Protection Act of 2018, however the UK will have the ability to make their own changes as they see fit in the future.

Sector-Specific U.S. National Privacy or Data Security Laws

In the United States, there is a patchwork of different legislation for different industries including:

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects healthcare patient data,
  • The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) which are directed at financial institutions,
  • The Payment Card Industry Data Security Standard (PCI DSS) which applies to companies who accept credit card payments, and
  • The Family Educational Rights and Privacy Act (FERPA) legislation that protects the privacy of students by ensuring their education records are protected.

California Consumer Privacy Act (CCPA)

California passed a digital privacy law, the California Consumer Privacy Act (CCPA). When compared to the GDPR, the CCPA takes a broader approach on what it constitutes as sensitive data. This privacy law will provide consumers with the right to know what information companies might be collecting about them and why, and will require companies to remove and dispose of that data per consumer request. This new legislation went into effect Jan. 1, 2020. With California paving the way, there are around 30 states working on their own version of the CCPA legislation.

Lei Geral de Proteção de Dados Pessoais (LGPD) – Applicable August 15, 2020

Similar to the European GDPR, Brazil passed the Lei Geral de Proteção de Dados Pessoais (LGPD) law to secure the privacy of Brazilian users. This framework applies to organizations that offer their services to people in Brazil, and outlines the use and processing of personal data of Brazilian users, regardless of where the data processor is located. Penalties for noncompliance are listed as 2 percent of the company’s Brazilian revenue of up to $50 million per violation.

Australia Privacy Act 1988

Australia has the Australian Privacy Act that requires individuals to be notified if their personal information was involved in a data breach. In February 2018, the Australian government established a privacy amendment titled the Notifiable Data Breaches Act 2017. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information.

Uganda Data Protection and Privacy Law

Uganda, which is known to be the “most secure cyberspace in Africa”, signed their own Data Protection and Privacy Bill into law in February 2019. The aim of this law is to protect the personally identifiable information (PII) of Uganda citizens.

While there are various data privacy laws around the world, some of the countries considered to have the heaviest data protection laws include Austria, Australia, Belgium, Canada, France, Hong Kong, Ireland, Italy, Netherlands, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, United Kingdom, and the United States.

Your IT asset disposition company should be able to offer expertise on which regulations and laws pertaining to you depending on where you are located, and the facility nearest you that will process your material.


Author: SRS Media