Insolvency Practitioners (IPs) could potentially face huge fines for non-deletion and management of data belonging to the insolvent companies they act for according to IT asset disposal DSA Connect.
The company says that unless the data has been permanently removed from the technology hardware the IP’s could well be legally exposed under GDPR.
The company also warns that there are some unscrupulous IT companies claiming that they can properly delete data from devices, but it says it has seen cases where this has not been done properly, leaving the insolvency firms and organisations that use them potentially legally exposed.
DSA Connect claims that it is aware of at least one leading financial institution that recently had to inform clients that an IT Asset Disposal (ITAD) vendor’s mistakes could have left personal information susceptible to misuse. Some clients are allegedly taking legal action against the investment firm.
Harry Benham, Chairman of DSA Connect said “The Coronavirus crisis is putting thousands of businesses under huge stress, and the number that went into insolvency between 10th March and 9th April was 50% higher than the same period last year (1). There are also over 500,000 UK businesses in serious financial distress, which is around 7% higher than last year.”
“All of this means that IP’s are increasingly busy, this growth in insolvencies also increases the risk of personal data being left on electronic devices that are being sold as part of the liquidation of the assets of the companies that they act for. Legislation around how personal data is stored and used in the UK has never been more robust, as GDPR clearly and firmly puts the responsibility on the owner (or their agent) for any personal data held on its electronic devices. Clearly, most IPs and their contractors are very well versed in dealing with the disposal of laptops, PC’s, servers etc., but increasingly data is being captured on devices such as telephone systems, smartphones, TVs, photocopiers, point of sale machines and the like. So, the risk of IPs falling foul of GDPR is heightened, as the types and volumes of electronic devices which retain data grows. The increased risk of items being sold containing data could potentially expose the IP to breaches in GDPR which could result in fines and/or compensation, together with brand and reputational damage.”
“Unfortunately, there are a number of IT disposal companies in the market place claiming to legally and professionally dispose of data on devices, but we have found that the processes some of them use are flawed and that the data they claim to have deleted can be retrieved.”
“IPs can greatly reduce and even avoid the risk of the accelerating GDPR danger, by selecting an IT disposal partner who is qualified, with the industry accreditations and using tools certified by CESG and approved by the UK National Cyber Security Centre (NCSC).