Almost one-third of organisations using companies to deal with old IT equipment could be exposed to significant fines if they do not ensure that data is properly deleted.
Under the General Data Protection Regulation legislation, which comes into force in Ireland in May 2018, companies must ensure that they are able to account for the whereabouts of their data or they could face fines of up to 4 per cent of global turnover or €20 million.
According to a survey from IT retirement company AMI, 32 per cent of companies admit they do not receive formal confirmation from IT retirement providers that their data has been erased.
In the event of a data breach any company that cannot confirm whether their data has been erased could be subject to fines.
Some 77 per cent of companies surveyed suggested that data theft from a retired device would have grave consequences on their business, with 8 per cent saying that their company would be forced to cease trading as a result.
The survey also found that despite the value of old IT equipment, 70 per cent of businesses say they do not recover any value when retiring old assets.
Vulnerable
“Irish organisations are leaving themselves vulnerable at the end-of-life stage by failing to securely manage the retirement of their old IT assets,” said Philip McMichael, managing director of AMI.
“Companies need to establish processes for disposing of this equipment and dramatically reduce the amount of time that it spends in storage as this increases the risk of data going missing. It also devalues the equipment, so it’s in the companies’ own interest to manage this process effectively.
“The primary focus for Irish organisations now has to be plugging the security gap stemming from current and past failings to securely tackle IT retirement.”
The AMI survey was carried out in May among 135 IT professionals and decision-makers in Irish-based businesses.