Regulatory Compliance Standards

Regulatory Compliance Standards

Almost every corporate organization has to comply in some way with regulatory compliance standards. The requirements vary by industry, but regulatory compliance is one of the major areas at which companies must look when creating a data risk management policy. For those planning for risk through their company’s IT processes, a major regulatory concern is data security. Generally, regulatory standards place a high value on data security and come down hard on organizations that let sensitive data leak.

PureITAD works with out clients in designing data destruction policies that not only meet, but exceed regulatory compliance requirements.

A few of these regulatory compliance standards that we work with are:

The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by the credit card industry. The standard’s main purpose is to ensure the security of credit card information transmitted to organizations.

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by the credit card industry. The standard’s main purpose is to ensure the security of credit card information transmitted to organizations. What does payment card information have to do with your IT assets? Whether your organization has stored credit card information in the cloud or exclusively on a hard drive, credit card information could linger on your equipment if improperly sanitized or disposed of and the liability of the breach could fall on you. PCI standards are designed to ensure that companies maintain a secure environment for credit card information, no matter where the information is stored or how large or small your organization is! If your organization accepts, transmits, or stores any cardholder data or handles equipment from merchants who have Merchant ID (MID), PCI applies to you.

Some of the requirements outlined by the PCI DSS specifically relate to managing your physical equipment. Entities that process payment card data must have data retention and disposal policies in place. Physical access to cardholder data must be restricted with security measures such as video monitoring, locked doors, and restricted accessibility to computer networks. The destruction of digital media is also addressed when it is no longer necessary.

In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity.

PIPEDA

In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. All companies conducting “commercial activity” in the country (with the exception of BC and NS that have their own provincial laws) are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), which is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle clients and employees’ personal information in the course of commercial activity, including how it must be protected from unauthorized access.

Failure to comply with PIPEDA can have serious consequences for your organization. Working with an accredited data destruction expert will eliminate risks of data breach that can not only have financial consequences, but can also be very damaging to one’s brand.

British Columbia’s Personal Information Protection Act (PIPA) sets out the ground rules for how private sector and not-for-profit organizations may collect, use or disclose information about you.

PIPA

British Columbia’s Personal Information Protection Act (PIPA) sets out the ground rules for how private sector and not-for-profit organizations may collect, use or disclose information about you.PIPA requires organizations to destroy, erase or make anonymous personal information about you that it no longer needs for the purpose for which it was collected or for a related business or legal reason.
The Personal Health Information Protection Act sets out rules for the collection, use, disclosure of personal health information and the destruction of such information once deemed unwanted.

PHIPA

The Personal Health Information Protection Act sets out rules for the collection, use, disclosure of personal health information and the destruction of such information once deemed unwanted. These rules will apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. A high profile data breach incident, brought about strict data destruction policies that were incorporated into PHIPA for both paper and digital records containing personal health information.
The Health Insurance Portability and Accountability Act are federal healthcare industry regulations that, among other things, govern the security and privacy of healthcare data.

HIPAA

The Health Insurance Portability and Accountability Act are federal healthcare industry regulations that, among other things, govern the security and privacy of healthcare data.
The GDPR, or General Data Protection Regulation, will come into force in May 2018. The GDPR casts a wide net, applying to any company that offers goods or services to EU residents, even if it is based in Canada.

GDPR

The GDPR, or General Data Protection Regulation, will come into force in May 2018. The GDPR casts a wide net, applying to any company that offers goods or services to EU residents, even if it is based in Canada. It may even apply to companies that track the online activity of EU citizens, potentially including those companies doing it for targeted advertising purposes, warns Thompson. Under GDPR, both the controller and processor are held equally accountable for data destruction. This joint liability now means that both the business and the ITAD are responsible for the secure destruction of data assets. GDPR also requires any business that controls or processes data has detailed records of its processing activities.

Clearly, with the joint liability rules and the need for detailed documentation and full audit trail on how data is managed, processed and destroyed, businesses and IT Asset Disposition firms alike will need to develop a transparent and unified view on how they manage secure asset disposal and how they verify that the data asset was destroyed in line with the regulations. It is therefore crucial to insure that the data processor is an experienced and accredited firm that is capable of offering full compliance transparency, at every step of the way.

Questions about ITAD services? Ask an expert!

Contact us