In the two months following the introduction of the European Union’s General Data Protection Regulation (GDPR), 44% of businesses in the trade sector did not wipe the data from redundant IT equipment before disposal.
This is the main finding of a survey of more than 1,000 workers in a wide range of trades, including construction, plumbing and carpentry, by IT services firm Probrand.
The finding is linked to the survey’s finding that 71% of all UK businesses in the trade sector do not have an official process or protocol for disposing of obsolete IT equipment.
Nearly half (47%) of trade workers polled admitted they would not even know who to approach within their company about disposing of old or unusable equipment correctly.
The five industries most guilty of not clearing the memory of IT equipment before disposal in the months following GDPR were transportation (72%), sales and marketing (62%), manufacturing (59%), utilities (58%) and retail (57%).
Matt Royle, marketing director at Proband, said that given the amount of publicity around the GDPR, it was “arguably impossible” to be unaware or misunderstand the basics of what is required for compliance.
“It is startling to discover just how many businesses are failing to implement and follow some of the simplest data protection practices. This is especially startling to see from businesses in the trades sector, where sensitive customer information, including address details, are handled all the time,” he said.
Under the GDPR and the GDPR-aligned UK Data Protection Act, if a personal data breach is found to have infringed any individual’s privacy rights, the company concerned could be liable for a fine up to €20m or 4% annual global turnover, whichever is higher. If a breach is found to have infringed the organisation’s obligations under the data protection laws, the fine could be up to €10m, or 2% annual global turnover, whichever is higher.
The fines for non-compliance with the new data protection laws can potentially run into millions, said Royle, but what appear to be less tangible factors, such as reputational damage, customer trust and loyalty, could also become financially significant.
“Given these findings, it is clear that more needs to be done to ensure that all businesses have a disposal procedure in place to avoid inadvertently leaking sensitive data,” he said.