CS Sep-Oct 2021
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
asset disposal<br />
ADISA SETS THE STANDARD<br />
ADISA ASSET RECOVERY STANDARD 8.0 IS FORMALLY<br />
APPROVED BY UK INFORMATION COMMISSIONER'S OFFICE<br />
determined by their own responses to those<br />
key questions.<br />
"This has allowed the ADISA Standard 8.0<br />
to introduce a tiering level for the controls,<br />
which are put in place in over 30 areas<br />
where different risk countermeasures have<br />
been identified. With a total number of 221<br />
criteria, this is the most exacting assessment<br />
of a data processor within this specific<br />
industry," adds Mellings.<br />
In July 2019, ADISA CEO Steve Mellings<br />
sent a rather speculative email into the<br />
ICO, asking for details about how he<br />
could apply to get the ADISA ITAD Industry<br />
Standard recognised under Article 42 of the<br />
then EU GDPR. "That request now seems a<br />
very long time ago," he reflects, "as we have<br />
battled through Brexit, creation of UK GDPR<br />
and, of course, COVID challenges. But, as<br />
per the ICO press release on 19 August,<br />
I'm delighted to now be able to publicly<br />
confirm that ADISA IT Asset Recovery<br />
Standard 8.0 has become one of the first<br />
Standards approved by the Commissioner."<br />
DATA IMPACT ASSURANCE LEVELS<br />
"A key part of our work with the ICO was to<br />
find a way to empower the data controller<br />
to make decisions on critical processes<br />
undertaken during the asset recovery and<br />
data sanitisation activity which they may not<br />
even be aware of," explains Mellings "These<br />
processes introduce risk and the ICO made it<br />
clear that the data controller needed to<br />
be made aware of these and be able to<br />
determine the level of controls required."<br />
This caused much discussion about how it<br />
could be achieved without a requirement for<br />
the data controller to be completely handson<br />
in the process and it wasn't until he<br />
remembered the old CESG Business Impact<br />
Levels that the solution became apparent.<br />
"By customising that concept, ADISA has<br />
created the 'Data Impact Assessment Level'<br />
or 'DIAL'. This is a formula in which the data<br />
controller answers five simple questions,<br />
which will then identify them at a particular<br />
DIAL rating. These questions are based<br />
on threat, risk appetite, categories of data,<br />
volume of data and, finally, impact of<br />
a data breach, and will enable the controller<br />
to present to their supplier a 'DIAL that is<br />
WHAT DOES THIS MEAN<br />
AND HOW CAN IT HELP YOU?<br />
"In short, it means that, over the two-year<br />
period, we've worked with the Commissioner<br />
to agree on what needs to happen<br />
during the Asset Recovery and Data<br />
Sanitisation process for it to be viewed as<br />
UK GDPR compliant. With data protection<br />
and cyber security being a complex area,<br />
this new ICO-approved Standard can help<br />
fix one problem that many don't even know<br />
they have - how to dispose of retired assets<br />
and ensure regulatory compliance."<br />
WE'RE ONLY HALFWAY THERE<br />
"Whilst Standard 8.0 has now been formally<br />
recognised, we are now undertaking the<br />
second part of our project, which is to get<br />
our auditing process UKAS accredited, such<br />
that we have a UK GDPR-approved scheme,"<br />
he adds. "We've been working on this<br />
behind the scenes for over 12 months and<br />
our application to UKAS is now in, and we<br />
expect this process to take between 6-9<br />
months. This will provide ample time for<br />
existing certified ITADs and new applicants<br />
to working towards 8.0 to ensure those<br />
companies certified to Standard 8.0 can<br />
genuinely evidence UK GDPR compliance."<br />
To find out more, go to https://adisa.global - or<br />
just click here.<br />
30<br />
computing security <strong>Sep</strong>tember <strong>2021</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk