There are approximately 1000 IT disposal organisations throughout the UK, most of which were established after the WEEE regulations came into law in 2007.
It’s often overlooked as to how much there is actually to consider when it comes to disposing of your redundant IT hardware especially after the implementation of the new GDPR rules in May 2018.
Below we have put together an essential series of questions you need to be asking when the time of IT disposal comes about. It is often easy to identify if an organisation is undertaking a consistently high quality compliant service.
Don’t let yourself be fooled by a flashy website
A professional website can easily disguise an organisation with many flaws. When responsible for disposing of your companies IT hardware, it is critical that you know who you are actually dealing with, where they are operating from and how they do it. Attention to detail on websites can easily uncover who is professional and who isn’t.
What accreditations does the organisation hold?
The standards a company complies with along with the accreditations they have can indicate how professional and well directed a setup it is. Accreditations to look out for include but are not limited to: UKAS 14001, UKAS 9001, UKAS 27001, UKAS 18001, UKAS 50001, UKAS 22301, ISO 39001, Investor in people, BS 15713 and BS 7858. Non UKAS certifications are worthless; accreditors for non UKAS standards don’t usually even attend the companies’ premises.
What does the companies’ background history look like?
How a disposal company has acted in the past usually shows you how they will act in the future. Ways of researching history can be via online reviews, requesting references from similar organisations to your own, performing a financial background check etc.
Who are the key staff members leading the organisation and what knowledge / skills do they possess?
It is good practice to know who exactly is running the organisation, what motivates them, what professional skills they have, what experience and knowledge they have and what risk assessments they undertake.
Can you visit their premises and see who exactly you are dealing with?
Many IT disposal companies are operating underneath the umbrella of their website and a visit to their premises can usually uncover a multitude of sins. If you cannot get a good genuine impression on their website through videos and interviews, it is best practice to visit their premises. If a premises viewing is denied, they are certainly to be avoided.
Do they use their own vehicles and drivers with no third parties?
The risk of your data being misplaced or stolen is at its greatest during transportation which why it is imperative that 3rd parties aren’t used for IT disposal logistics. Key things to look out for after you have determined if they are using their own logistics team: do they incorporate data security training into logistics, have they undertaken a data security logistics risk assessment, what background checks do they do on their collection team, do their vehicles have solid sides and bulkheads / tracking / additional security locks / sign written vehicles etc.
Does the IT recycling company possess chemical safety experts?
A good portion of IT hardware waste is classed as hazardous which can put the environment and peoples’ health & safety at risk if not treated and handled correctly. This is not an extensive list but such items include CRT monitors containing lead, LCD monitors containing arsenic and mercury, batteries, UPS systems containing batteries, vehicle diagnostic computers containing various oils etc. It is critical for any IT recycling organisation to include a competent member of staff with chemical safety training and knowledge into their inventory of employees who can prevent environmental and health & safety incidents.
Is data security and security related training an integral part of their service?
As identified on data security risk assessments there are 100s of potential threats when disposing of IT hardware. Using a company that takes data security seriously is very important. Ensure you question their security practices, are they utilising all available security measures, have they undertaken an in depth security risk assessment, do they list all their security measures, are they ISO 27001 UKAS registered, are you able to visit their premises and see what their logistics system looks like, what security training do they provide their staff with etc.
Does the organisation hold all applicable environmental licences?
It is required by law that any IT recycling organisation holds the correct licences and permits for undertaking such a service. Essential licences include: A waste carriers licence for transportation and an environmental permit for processing the waste at their site.
Does the organisation know what data is stored on?
Data is stored in 100s of other device types on top of simple hard drives. Types of hardware that contain data include POS systems, security code generators, thin clients, printers, photocopiers, routers, firewalls, switches, VPNs, tape drives, PDAs, mobile phones, fax machines, AV equipment etc. It requires a large amount of specialist knowledge to ensure all such device types are data sanitized safely. Ensure you check over their data sanitization capability statement.
How does the organisation destroy data?
Does the organisation have tried and tested / certified data wiping and destruction machinery (e.g. crushers and shredders)and does such machinery get audited regularly to ensure it is continually meeting the required standards. Ask to be talked through what it does and how it does it. Ask to see their data sanitization capability statement.
Do they offer onsite data destruction?
The risk of misplacing, losing or even having your data stolen is at its greatest when it is being transported away from your site. If the organisation undertaking such a task hasn’t taken all appropriate security measures, this can easily result in a disaster for you. If deemed necessary for extra piece of mind you can request onsite data destruction via either degaussing, data wiping, shredding, crushing, label / reference removal or physical destruction; before you proceed, ensure you confirm exactly what the onsite data destruction machinery is, how it is carried out along with how regularly it is checked and certified as compliant.
Does the company provide all applicable certificates?
Certificates you should expect include: GDPR Agreement, WTN (waste transfer note), HWCN (hazardous waste consignment note), DDC (data destruction certificate) and an Asset Report. Ask to see examples of what you will receive and when. Are the examples given compliant with all relevant legislation?
Does the IT disposal organisation offer IT collection / asset tracking?
Not all IT recycling companies have the ability to be able to track IT collections / assets through their system. Without such a professional system, it is easy for IT collections to go missing with no explanation as to where they have gone or who made contact last. It is important to ensure your IT recycler offers this as part of their service. Ensure you confirm if the service you choose tracks IT collections as a whole or as individual assets (more time consuming / costly). Companies offer different kinds of services related to asset / collection tracking with different applicable costs.
Are payments made either way for the service?
Before engaging in a service it is important to establish if you will have to pay or if there will be any rebates earned from residual value extraction from your redundant IT equipment. Some companies offer a free service, some charge and some offer to remarket your equipment and give you a portion of the residual value.