The situation can seem relatively simple – you have some end-of-life IT kit to dispose of, a company comes and collects it for you. Done. In reality, the situation needs a bit more thought. When disposing of end-of-life kit – especially if it’s data-bearing – it’s not just about finding the first company who can shift it for you. You should approach the selection of an IT asset disposal partner carefully, to ensure that your devices are being disposed of in the correct way.
There are quite literally hundreds of IT asset disposal companies (also known as ITADs) in the UK. So how do you know which one is right for you? How do you identify and select a trustworthy partner who has the capabilities and the credentials to carry out IT asset disposal correctly and compliantly?
In the context of ITAD, compliance is becoming an increasingly vital part of the process. The General Data Protection Regulation (GDPR), coming into force in May 2018, brings with it stricter controls around how data is processed and disposed of. Data-bearing hardware must be disposed of with care, and the process must tick the right boxes. You can find out more about this here.
We’re here to help. Here are a few things to look for when choosing an IT asset disposal partner.
While using a certified or accredited company is not mandatory under GDPR, it is advised. Using an ITAD company that has signed up to a certification scheme assures you that they are operating compliantly, and demonstrates that you have taken adequate steps to operate in a similar way. An ITAD business may hold any number of certifications and accreditations, but some key ones to look for are as follows:
- 27001 Information Security – this demonstrates that the company takes a systematic approach to managing sensitive data securely.
- ADISA (Asset Disposal & Information Security Alliance) certification – ADISA sets global industry standards for IT Asset Disposal, and companies that hold this have demonstrated they follow best practice when it comes to handling data carrying assets.
- BS EN 15713 (Secure destruction of confidential material) – indicates that the company has demonstrated that they dispose of confidential material compliantly.
These accreditations should usually be displayed clearly on the ITAD provider’s website, and they should be able to share copies of certificates on request, if they are not already downloadable from the website.
The correct processes
Under GDPR, you are required to have a contract or Service Level Agreement (SLA) with a third-party data processor (in this case, an ITAD). Without this documentation in place, which clearly states responsibilities and liabilities and is signed by both parties, you will be in breach of GDPR if you proceed to allow the company to process your data. And yes – data erasure and destruction counts as data processing. When engaging with a prospective ITAD partner, you should ensure that this is part of their process, and that they are willing and able to get this in place before you proceed with any collections of kit. Ideally, the company should advertise and explain this process clearly on their website, either as part of the main text or in terms and conditions. For a more of an idea of what document like this should look like, you can find ours here.
After you have been on-boarded as a customer of the ITAD business, and the first collection has taken place, they should be able to offer you relevant documentation to show how and when kit (and any data) was processed. You are required to hold this documentation under GDPR, and may be asked to produce it in the event of an audit. As with the contract/SLA, this process should ideally be explained clearly on the company’s website, or they should be able to confirm it when asked. Don’t proceed with the company until they have confirmed that they can offer this – you don’t want to be in a position where they’ve already processed your kit and you have no record of it!
For additional peace of mind, look out for mentions of the data erasure software your potential ITAD partner uses. While there are a number of solutions on the market, software like Blancco is a leading platform in the space, and investment in the software demonstrates that the organisation can erase data compliantly and securely, as well as provide the necessary audit trail.
An environmentally-conscious approach
As you are engaging in recycling your IT assets, you want to make sure that any components and constituent parts are recycled responsibly. When you’ve gone to the effort of engaging with a recycling partner and disposing with it what you thought was a responsible manner, the last thing you want is your kit ending up on a landfill site, releasing harmful chemicals into the environment as it’s broken down. A good indicator that an ITAD company approaches recycling responsibly is another certification – 14001 (Environmental management). This demonstrates that they have processes in place to manage their environmental responsibilities and have taken steps to make their operations more sustainable.
Although not a formal certification, some ITAD operators will operate a zero landfill policy, meaning – you guessed it – they don’t send anything to landfill. This means that even when broken down to its constituent parts, the kit is still completely recycled and/or reused. This is another good indicator that the company takes the environmental impact of IT asset disposal seriously.
The right fit
Ultimately, with all of the above boxes ticked, it’s about finding the company which will be the right fit for you. XPO are a friendly and experienced ITAD business with a flexible approach to everything we do. We hold the 14001, 27001, BS EN 1573 and ADISA certifications. If you’d like to discuss partnering with us, get in touch, and we can talk you through our process and assure you we can dispose of your end-of-life kit securely.