In July 2019, ADISA CEO Steve Mellings sent a rather speculative email into the ICO, asking for details about how he could apply to get the ADISA ITAD Industry Standard recognised under Article 42 of the then EU GDPR. "That request now seems a very long time ago," he reflects, "as we have battled through Brexit, creation of UK GDPR and, of course, COVID challenges. But, as per the ICO press release on 19 August, I'm delighted to now be able to publicly confirm that ADISA IT Asset Recovery Standard 8.0 has become one of the first Standards approved by the Commissioner."

DATA IMPACT ASSURANCE LEVELS
"A key part of our work with the ICO was to find a way to empower the data controller to make decisions on critical processes undertaken during the asset recovery and data sanitisation activity which they may not even be aware of," explains Mellings "These processes introduce risk and the ICO made it clear that the data controller needed to be made aware of these and be able to determine the level of controls required."

This caused much discussion about how it could be achieved without a requirement for the data controller to be completely hands-on in the process and it wasn't until he remembered the old CESG Business Impact Levels that the solution became apparent.

"By customising that concept, ADISA has created the 'Data Impact Assessment Level' or 'DIAL'. This is a formula in which the data controller answers five simple questions, which will then identify them at a particular DIAL rating. These questions are based on threat, risk appetite, categories of data, volume of data and, finally, impact of a data breach, and will enable the controller to present to their supplier a 'DIAL that is determined by their own responses to those key questions.

"This has allowed the ADISA Standard 8.0 to introduce a tiering level for the controls, which are put in place in over 30 areas where different risk countermeasures have been identified. With a total number of 221 criteria, this is the most exacting assessment of a data processor within this specific industry," adds Mellings.

WHAT DOES THIS MEAN AND HOW CAN IT HELP YOU?
"In short, it means that, over the two-year period, we've worked with the Commissioner to agree on what needs to happen during the Asset Recovery and Data Sanitisation process for it to be viewed as UK GDPR compliant. With data protection and cyber security being a complex area, this new ICO-approved Standard can help fix one problem that many don't even know they have - how to dispose of retired assets and ensure regulatory compliance."

WE'RE ONLY HALFWAY THERE
"Whilst Standard 8.0 has now been formally recognised, we are now undertaking the second part of our project, which is to get our auditing process UKAS accredited, such that we have a UK GDPR-approved scheme," he adds. "We've been working on this behind the scenes for over 12 months and our application to UKAS is now in, and we expect this process to take between 6-9 months. This will provide ample time for existing certified ITADs and new applicants to working towards 8.0 to ensure those companies certified to Standard 8.0 can genuinely evidence UK GDPR compliance."

To find out more, go to https://adisa.global - or just click here .