End-of-Life Risk Management: What the Board Needs to Demand from IT and Legal Departments

Introduction

Risk management at the end of life of digital assets requires strategic attention from the board, especially involving the IT and Legal departments. The correct conduct of this process is essential to mitigate legal risks, protect sensitive data, and ensure regulatory compliance, as established by official Brazilian regulations.

The role of the IT department in risk management

The Information Technology sector must implement robust measures to ensure data security during the termination of the usage cycle of equipment and media. The NIST SP 800-88r1 standard serves as an international reference for the secure sanitization of media, preventing the leakage of confidential information.

Additionally, it is crucial that standardized practices of secure hard drive and media sanitization are carried out, ensuring that corporate data cannot be recovered after disposal. Such procedures minimize cyber risks and meet legal requirements related to data protection, in accordance with the General Data Protection Law (Law No. 13,709/2018).

Responsibilities of the Legal department

The Legal sector must ensure that end-of-life asset management is aligned with current legislation, such as the National Solid Waste Policy (Law No. 12,305/2010 - PNRS) and the Legal Framework for the Protection of Personal Data (Law No. 13,709/2018).

It is the responsibility of this area to guarantee contracts and internal policies regulating the proper disposal of electronic equipment, including specific clauses for the treatment of legal risks arising from data exposure and environmental compliance.

Strategic demands for the board

For risk management at end of life to be effective, the board must require periodic reports from the IT and Legal departments demonstrating compliance with technical and legal standards, as well as the effectiveness of sanitization and disposal processes.

Furthermore, planning should include scheduling of electronic waste collection by certified companies, ensuring environmental responsibility and compliance with the guidelines of the National Information System on Solid Waste Management (SINIR - sinir.gov.br).

Conclusion

The board must ensure that the IT and Legal departments adopt integrated practices aligned with applicable legislation, minimizing operational, legal, and reputational risks at the end of life of digital assets. Compliance with official standards and the use of recognized methodologies are essential for organizational security and sustainability.