Why Your Used Devices Can Still Affect Your GDPR Compliance

It is almost a year since the General Data Protection Regulation (GDPR) came into effect. With the new regime in place, a lot has changed. It has made an impact on business behaviour: especially on marketing which has become more careful. It also affected consumers who are perhaps frustrated by having to opt-in to emails, continually accept cookies and confirm acceptance of privacy rules (which they have almost certainly never bothered to read).

Since GDPR came into effect, over 59,000 data breaches have been reported throughout the European Economic Area, and data problems continue to be a hot topic in conversation, as well as fears of accidental GDPR non-compliance.

GDPR remains a constant commercial challenge, with some uncertainty about compliance and the boundaries of personal data. Businesses generally handle compliance well for devices that are still in use, but when replaced, it can be easy to overlook the secure erasure of data stored on the device. This can potentially catch companies out.

Out with the old

It is easy to forget about old devices. When supplying a new phone or laptop, the priority is to get the new device working well rather than worrying about what happens to the old ones. This could be a bottom drawer, or an old cupboard, both common graveyards for forgotten devices, where they collect dust, until sent to the local dump sometime later.

This approach overlooks the risk of housing a potentially serious GDPR hazard, and the unrealised value hidden within a pile of ageing hardware. It takes minutes to arrange for secure erasure of these devices. Considering the consequences of GDPR non-compliance, the risk of holding onto replaced devices is not worth taking, especially when there is a profitable alternative.

Deletion vs. Erasure

There is a big difference between deleting data rather than securely erasing data. Simply deleting data leaves a digital footprint so a third party can recover the deleted information. Secure erasure destroys data: its digital footprint is overwritten multiple times, and recovery is impossible.

A risk of GDPR non-compliance arises from Article 17 of the GDPR, the right to erasure. Organisations must be able to prove that they can remove data properly and permanently, so the difference between deletion and erasure is important. Compounding the problem, criminals can recover deleted information from discarded devices and put it to use, giving rise to personal data loss, and perhaps financial fraud.

If exposed, the data leak penalty can be massive. According to Article 83, infringement can result in a fine worth up to €20 million, or 4% of an organisation’s total annual turnover from the preceding financial year – €40,000 for every €1M of turnover. It is still early days, and many of the reported breaches await a decision on penalties. That said, the risk of a large fine is very real, as shown in the case of Google, recently hit with a €50 million bill for a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’. Clearly, non-compliance is a risk best avoided.

Economic benefits of risk avoidance

You cannot simply give devices away as an act of charity, because the data risk is obvious.

You might think that storing old devices somewhere safe is an acceptable alternative because you avoid the costs of secure data destruction. The problem is that you are also storing a wasting asset: that replaced laptop has a value, and it decays by about 2% every month.

The better choice is to take control of the data risk: have the data securely erased and at the same time realise the value in your old IT equipment. This also avoids the risk of an unwitting GDPR breach.

Companies can also avoid the risk systemically, by choosing an IT lifecycle management solution. This device-as-a-service alternative will conserve cash and keep your team equipped with devices that work well. A replaced device is refurbished, its data erased, with auditable proof of erasure, and finally, the device is reused in a sustainable way.

Whether you choose to sell the device to a specialist or select a lifecycle management alternative, you avoid the risk of a GDPR fine and at the same time make better use of your company’s assets.

By Carmen Ene, CEO of 3 Step IT.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.