Gone are the days when you could call to have your electronics collected for recycling without much thought to data breach prevention and penalties for noncompliance. Increasingly comprehensive e-waste and data security laws have continued to make companies liable for their obsolete devices and the data contained on those devices long after they have been discarded.
The range and complexity of these laws, combined with penalties for noncompliance, have led many companies to rely on the resources and expertise of outside vendors to maneuver through the maze of local, regional and international regulations. Not surprisingly, with increased risk involved in managing data and evolving regulatory requirements, such as the EU’s new General Data Protection Regulation (GDPR), most companies outsource their IT asset disposition programs.
If your company chooses to partner with a vendor to remarket and recycle its outdated technology, asking these four important questions will help you navigate the selection process.
Is the recycler certified?
Responsible IT asset disposition hinges on two principles: knowing who will handle your old electronics and knowing how they will be handled. Certified recyclers are dedicated to conforming to recycling industry best practices that regulate environmental and worker health and safety management systems.
Certified recyclers are also committed to carrying out the latest standards that regulate information destruction, and the secure handling, warehousing and transportation of electronics. Selecting a certified recycler can minimize the irregularities in environmental protection and worker safety that can result in potential liability concerns for companies sending equipment to be recycled.
Can you visit the recycler’s facility?
While certification delivers assurances that old equipment will be processed in a manner that protects employees and the environment from harm, certification alone should not be the only yardstick by which you measure a possible recycling partner. Conduct a site visit to see a facility’s size, determine how hazardous wastes are managed, observe equipment tear down procedures, and examine the equipment used to shred and separate e-waste. Also, evaluate the physical security measures in use and verify that employees have been background screened.
Most recyclers depend on downstream vendors to completely process electronic waste. So during this tour, ask about the recycler’s downstream partners and find out if the recycler conducts regular, on-site audits to ensure these vendors handle materials according to the same environmental, safety and security standards as the primary recycler.
Can the recycler guarantee data security?
While in use, computers and other data-bearing media are subject to clearly defined security procedures that shield the equipment and the data residing on that equipment from intrusion, loss and unauthorized access. Sometimes when computers are marked for recycling they fall off the IT department’s radar even though they may still contain readily accessible data that could leave a company susceptible to a data breach. But once a data custodian, always a data custodian, so regardless of a company’s internal data destruction protocols, it’s essential to locate an electronics recycler that takes data security as seriously as you do.
Find a recycler that is certified and offers compliant data destruction and validation of that destruction. This is especially important if your company’s IT assets will be resold or redeployed. This process is only as good as the technicians performing it, so confirm that a recycler has documented policies that cover employee training on the use and calibration of data destruction software and equipment.
Also, understand which data destruction methods will best meet your needs. Reselling IT assets? Data sanitization removes data and allows hard drives to be reused. Hard drives not suitable for reuse? Degaussing and/or physical destruction destroys data and renders hard drives useless.
Additional security also comes from choosing a recycler that owns its facilities and offers an unbroken chain of custody from collection, to transportation, to destruction of old electronics. The farther equipment containing sensitive data moves downstream, the tougher it becomes to protect that data. For this reason, it is essential to establish from the beginning who will have access to your equipment and how it will be handled from the time it is picked up, until the time it is processed. When a recycler is able to provide a complete range of disposition services internally, it eliminates reliance on subcontractors to process a company’s old equipment, increasing accountability, and simplifying tracking and reporting.
Can the recycler protect you if something goes wrong?
A good indicator of a recycler’s ability to do this is evidence of general and excess liability insurance as well as pollution liability and cyber security insurance. An insured recycler is able to protect you from and manage the potential financial risks associated with recycling electronic waste.
With profits, privacy and the planet on the line, asking these essential questions will get at the core of how a recycler does business and take the guesswork out of choosing an IT asset disposition company capable of responsibly processing your company’s end-of-life electronics.
Make sure your IT asset disposition program is aligned with your organizations requirements with this RFP template – Download now.
Last updated: April 26, 2018