Over the coming weeks, businesses should start to be asked to create a Data Impact Assurance Level (DIAL) by companies with whom they engaged to collect their redundant equipment and sanitise the media. But what on earth is a DIAL and what is the benefit to you by creating one?

This article explains what the DIAL concept is and why it was crucial in the approval of ADISA Asset Recovery Standard 8.0 by the UK Information Commissioner's Office. And most importantly, why this helps organisations comply with UK GDPR when disposing of redundant equipment.

WHERE DID IT ALL BEGIN?
When ADISA launched in 2010, our ambition was to help improve risk management for companies when they dispose of their redundant equipment by the development of Standards. Our ICT Asset Recovery Standard has gained significant traction in the UK and is well supported by the leading IT Asset Disposal (ITAD) companies in the sector. When EU GDPR was passed into law, we saw that approved Certification Schemes were covered within the articles and so we started exploring how we might evolve our program by achieving official recognition under the overarching data protection law.

WORKING WITH THE UK INFORMATION COMMISSIONER'S OFFICE.
In July 2019 ADISA submitted our ICT Asset Recovery Standard to the ICO for approval as a EU GDPR Certification Scheme. (This would later move to UK GDPR post-Brexit!) Our Standard was structured such that risks to data were identified and countermeasures were required to remove or mitigate those risks. These countermeasures were presented as prescriptive criteria which were included in the Standard and companies being certified were required to meet those criteria to evidence how they were managing those risks on behalf of their customers.

When we started working with the ICO it soon became clear that rather than focusing on the industry we needed to look at the process from the data controller's viewpoint. Whilst the previously identified risks remained the same, who determined whether the countermeasures were appropriate was not. Previously it was either ADISA, via the publication of the Standard, or the ITAD, through provision of the service, who determined the appropriateness of the countermeasures to be deployed. Clearly, within UK GDPR what is deemed "appropriate" will vary from one data controller to the next, so how could a binary standard claim to represent all data controller's own requirements?

This created a quandary; how do we allow the data controller to first see all the points in the process where risk exists, and then secondly how can they then influence the risk treatments to suit their own specific requirements.

The answer to this was to create the concept which is Data Impact Assurance Levels.

When working with the regulator it was clear that to deem whether something is an appropriate risk treatment, we must first understand a range of variables for each data controller. ADISA identified five variables.

• Threat - Who are we protecting our data from and what are their capabilities.
• Risk Appetite - Do we permit additional treatments to be available, at a price, or do we require all possible risk treatments to be applied?
• Volume of Data - What is the aggregated risk we are trying to manage?
• Categories of Data - What data are we having processed?
• Impact of a data breach - If we suffered a data breach what would happen? Share price impact, loss of reputation or regulatory action?

Within each of these variables a data controller can determine what is their own position by following the workings laid out in Part 1 of the ADISA Standard or using the free to use software on our website. By working through these questions, the data controller produces a single DIAL rating which can be used to indicate what level of controls would be appropriate to be applied to each of the risks which are being managed on their behalf by their certified ITAD partner. This simple approach finally gives the data controller a means of influencing risk management in a process which is often both out of sight and out of mind.

WHY IS DIAL GOOD?
By introducing the DIAL concept to our Standard, ADISA was able to meet the UK ICO's expectation on how risk was to be managed by the data controller when they dispose of redundant equipment. This is particularly important where the disposal of redundant equipment is concerned as the volume of data being processed is enormous making it one of the biggest risks within enterprise data protection. Due to the transactional nature of the process including moving physical assets outside of existing security environments, there are a significant number of points in the process where risk exists. By presenting DIAL to the ITAD partner a data controller is indicating what controls they want to have in place on those processes which is reflective of their own situation. This is achieved by there being different levels of risk treatment for each identified risk which offer increasingly better levels of risk management.

Of course, increased controls for unnecessary reasons could lead to unnecessary cost, which is why the DIAL concept enables data controllers to manage risk directly attributed to their own situation.

CREATING YOUR DIAL
Companies already certified by ADISA are working towards the new 8.0 Standard and as such will be able to issue you a URL to the ADISA website where you can answer five questions which then create your DIAL and a certificate. Even if your existing partner is not certified, you can go to the ADISA website yourself and complete the same process to create your own DIAL.

Each ITAD when being certified will achieve their own DIAL rating which indicates the potential DIAL they are capable of operating at. You should verify that your ITAD partner's DIAL rating meets your requirements. If they do not have a DIAL or operate at a lower level than you require, they will either need to become certified, improve their capability or you should deem them unsuitable.

Standard 8.0 incorporating the DIAL concept assures you of meeting UK GDPR compliance not because your ITAD partner is telling you nor because ADISA is telling you. You are assured of meeting UK GDPR because the ICO has confirmed that using an ITAD who is certified to 8.0 by a UKAS approved audit process is UK GDPR compliant.

To find out more, click here.