GDPR is here

As you are no doubt aware due to all the press, radio and TV coverage, GDPR is coming in to force on 25th May 2018.

For the last 4 years we have been updating clients with what is required in this legislation and from the start updated our services and methods of working to ensure compliance. In relation to IT Asset Disposal and dealing with equipment that holds personal data, the new legislation is very clear. The Client (You) is the data controller and the IT Disposal Company (Us) Is the Data Processor.

As detailed in my previous emails the main points of the legislation in relation to our joint activities are as follows (This is directly from the Information Commissioner’s office “ICO” Website and is the law):

  • Whenever a controller uses a processor it needs to have a written contract in place
  • Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected
  • Processors must only act on the documented instructions of a controller



Contract Checklist

A contract of service/Terms of service agreement must include:

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller
  • The processor must only act on the written instructions of the controller (unless required by law to act without such instructions)
  • The processor must ensure that people processing the data are subject to a duty of confidence
  • The processor must take appropriate measures to ensure the security of processing
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract
  • The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  • The processor must delete or return all personal data to the controller as requested at the end of the contract
  • The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state


Ecosystems have had in place numerous processes and procedures in the IT Asset Disposal/Data Destruction service that we provide to ensure this legislation is complied with at the outset.

A comprehensive set of risk assessments/method statements for every type of data bearing item that may be disposed of detailing how it is stored, uplifted, transported processed and reported. This acts as the keystone written principles of how we act as the data processor on behalf of the data controller.

Risk assessments/method statements can be downloaded from here: RA&MS-2018
A Contract of Service/Terms of service agreement can be downloaded from here: SLA-2018

Our terms of service agreement legally binds us to only act in the agreed way described in the risk assessments/method statements when acting as the Data Processor on behalf of our clients. It specifically deals with all aspects of GDPR Legislation and ensures compliance with its requirements when utilising our services.

Please download a copy of both documents and review them. Should you require any amendments to either document please let me know and I will make the necessary changes where needed.

Should you already have a bespoke contact in place with Ecosystems, these documents do not take precedence over the current agreement and the current agreement will stay in force. For clients not working under a bespoke agreement. Arranging for a collection of equipment will indicate that you have read and understood both the Method Statements/Service Level Agreement and that the Risk Assessments/Method Statements are your written instruction on how we are to act as your Data Processor. The service Level Agreement then legally binds us to these written instructions.

As there is a legal requirement to state the duration of the agreement.

We have set this as a 1-year rolling contract, but we do not specify any minimum usage requirements, exclusivity demands or payment conditions.  In effect, we have set out compliance to GDPR when utilizing our services without tying the clients to exclusively use our services, or to have to renegotiate contracts after a specified timescale.

There is also a lot of smoke and mirrors being stated that Data Processors need to have an approved code of conduct or certification scheme.  And that you can only use companies that are part of a certain “Trade Body”

Again the ICO Website states the following:
“The GDPR envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to help controllers demonstrate that they have chosen a suitable processor. Standard contractual clauses may form part of such a code or scheme, though again, no schemes are currently available. “

As there are no current schemes available, we will continue to maintain our ISO9001 Quality Management, ISO14001 Environmental Management ISO27001 Information Security Management and NHS IG Toolkit Accredited methods of working. (Resources)

Should an approved code of conduct, or certification scheme become available and a requirement, we will ensure compliance.
To conclude, our service remains the same, we have been ready for 4 years and have been ensuring legislative compliance and data protection since our inception. Because we have been ready for so long, you will see no changes to the service we supply to you.

  • We will continue to maintain our “Proof Not Promise” Service where we provide irrefutable evidence that each data bearing item has had its date irreversibly destroyed.
  • We will continue to maintain our service on a free basis
  • We will continue to protect our clients from the horrible consequences of a data breach when disposing of redundant IT equipment.
  • We are ready, we have been ready for years. When you need us, just let us know.
  • Should you require any further information, or I can be of additional assistance, please feel free to contact me, as I would be delighted to help.