GDPR Considerations Involving Data Breaches

By Castaway Tech | March 6, 2019

Data breaches involving the exposure of sensitive personal information have been increasing at an alarming rate. In the United States alone, Statista, an on-line statistics portal, reported 1579 data breaches with 179 million records exposed during 2017, a 44% increase from the previous year.

To ramp up protection for its 750 million citizens, the European Union (EU) evolved the 1998 Data Protection Act into the General Data Protection Regulation (GDPR), which went into effect in May 2018. Its 99 articles regulate not only how organizations protect and use data collected on its citizens but also what fines will be imposed on offenders.

Organizations that violate the regulations either intentionally or unintentionally, even for something as seemingly mundane as a lost work cell phone, and do not report such data exposure within 72 hours may be slapped with fines as high as 20 million Euros or 4% of their revenue. Not to mention the incalculable public relation damages that result from world-wide awareness of the breach.

The GDPR Rules Apply to Everyone

Make no business mistake, the rules apply to all companies, profit or nonprofit, large or small, located anywhere in the world, that collect sensitive data on EU citizens such as names, credit card numbers, home addresses, photos and any other identifiers. (See further reading below.) Companies with less than 250 employees or who do not specifically target EU citizens, especially via web sites written in their native languages, may be subject to less stringent regulations or no regulations. The regulation in its entirety needs to be read and measured against an organization’s data collection and processing procedures.

Data Protection Officer

Depending on the scope of an organization, the appointment of a Data Protection Officer may be required. Examples include: if the organization is a public authority, requires regular and systematic monitoring of data subjects on a large scale or deals with special categories such as criminal convictions, political opinions or ethnicity.

Data Disposal

To complicate an already complicated regulation, the GDPR protocols extend to the entire life cycle of electronic equipment, including end-of-life electronics and e-waste.

Organizations should no longer dump unwanted end-of-life electronic equipment into landfills, send off to general recycling centers or donate to charities if they contain sensitive information from EU citizens. Rather, the information must be destroyed following approved GDPR -compliant protocols. The GDPR casts a wide data net and you do not want your company to get caught up in it. (See links to further reading at the end of this article.)

Reducing Data Breach Risk

Castaway Technologies works with companies to reduce their GDPR data breach risk by properly disposing of end-stage electronic storage devices such as hard drives commonly found in computers, laptops, servers and point-of-sale devices as well as digital printers and copiers. Additionally, we safely handle the myriad of mobile devices such as smart phones, tablets, USB “thumb” drives, external hard drives and more.

Under the current regulations, Castaway provides assistance on directives found in three specific articles:

Article 25:  Data Protection by Design and Default. Your data erasure will be done properly.

Article 28: Processing/Third Party Contracting. Your Data Controller can hire us knowing we provide security guarantees.

Article 32: Security of Processing. You will be provided records of all processing activities and a Certificate of Destruction.

Further Reading

Read the official GDPR rules at
Read about more examples of Personal Data Identifiers at

If you’d like to discuss our GDPR-compliant data destruction processes and procedures, please contact a Castaway data destruction specialist at (978) 208-4730. We are here to make your business life more GDPR-wise, data-secure and compliant.

Leave a Comment

Your email address will not be published.