With the IT Asset Disposal (ITAD) industry still in its infancy and with no regulations or standards for IT Asset management, companies should be extremely cautious when appointing asset disposal service providers.
Even more concerning is that ITAD will remain unregulated because the Protection of Personal Information (PoPI) Act has been postponed pending the appointment of a regulator. The closest regulation measures is the code of ethics bestowed on members of the eWaste Association of South Africa.
Xperien CEO Wale Arewa, from a local IT Asset Disposal (ITAD) specialist, says the data protection law only states that a system should be implemented and updated according to best practices. “But what are these best practices? Service providers can offer what they like and claim it as best practice because ITAD is not an accredited profession in South Africa.”
He warns that liability for protecting one’s data may be transferable, but protection of one’s reputation is not. “We have around 50 operators in the industry offering ITAD services, they range from one-man bands to managers supplying after hour services to their companies, printer repair and service companies, scrap metal dealers, eWaste consultants, removals contractors and leasing companies offering ITAD services.”
Arewa says there are few companies that offer ITAD as a core function. “So what can you expect from a professional service provider and how transparent are they? One would at least expect a reporting system and immediate access to information such as assets already disposed, asset values, data destruction certificates, environmental disposal certificates and service costs.”
Reputable asset disposal service providers should develop effective solutions to address everyday challenges beginning with the risks associated with data loss. Handover of retired equipment should be immediate to avoid inevitable loss that occurs in IT storerooms. Furthermore, secure reverse logistics with a chain of custody should be provided for each item containing a hard drive and daily trend reporting must be included so that undesirable trends can be identified before they become critical.
Ideally, there should be a project management system that offers the following:
- Develop a secure chain of custody for the assets
- Minimise storage to prevent shortages
- Call centre to schedule hardware collection
- Secure transportation
- Onsite data elimination
- Mobile hard drive destruction
- Data destruction compliance certificates
- eWaste disposal compliance certificates
- Asset buyback
- Trending reporting
- Audit trail
“If your service provider can deliver all this with clear and transparent charges, you are on the right track. However, if you don’t have a service provide that understands that data loss may lead to reputational loss, you may want to establish whether your service provider is an accredited professional,” he concludes.