Most executives have very little or no idea when it comes to IT asset disposal (ITAD) or the dire consequences the Protection of Personal Information Act 2013 (PoPI) could have on them.
The PoPI Act is awaiting an implementation date but, when in effect, it will hold organisations liable for the safety of their information. Companies could face massive fines up to R10-million, civil claims, and reputational damage claims, if they fail to upgrade information technology security systems ahead of the implementation of the Act.
The successful adoption of this Act will depend on a comprehensive understanding of the digital aspect of the new laws. Companies will be forced to change their processes to ensure that the personal information and data they collect is protected.
Not only is the introduction of mandatory protection of personal data a huge challenge for companies, but now organisations are being prompted to rethink how they approach the reuse, recycling or recovery of their e-waste.
In addition, the National Environmental Waste Management Act 2008 (NEMWA 2008) and the Consumer Protection Act 68 of 2008 (CPA) also have a bearing on sound IT asset disposal.
Xperien CEO Wale Arewa says they are involved in systems analysis to determine what IT resources are required for the organisations and they manage multimillion-rand procurement budgets to maximise return on investment (ROI). “Considering that the largest budget is often allocated to maintenance and support, they are prudent in selecting partners to implement maximum uptime.”
Arewa explains that auditability is paramount to maintaining this control and also provides the necessary feedback that will reduce costs, andshortages, and negate the whole compliance process. “For example, if a hard drive is lost during transportation, it may contain the personal information of thousands of clients or employees. The loss of personal information could be detrimental to any business, this is why it is so important to be fully compliant.”
Arewa also warns that liability for protecting data may be transferable, but protection of reputation is not. “We have around 50 operators in the industry offering ITAD services; they range from one-man bands to managers supplying after-hours services to their companies, printer repair and service companies, scrap metal dealers, e-waste consultants, removals contractors and leasing companies offering ITAD services.”
He advises customers to offset the cost of a secure IT asset disposition programme by realising its potential savings. “How? By retiring your technology assets wisely. Find yourself a third-party specialist with deep experience in secure IT asset disposition.”
However, Arewa cautions that there are few companies that offer ITAD as a core function.
“This trusted partner can help you find the metrics to convey a secure asset disposition plan’s ROI to budget-minded superiors. Moreover, once the job is under way, your partner will provide complete documentation of the disposal process. You’ll rest assured that security regulations are being met,” he explains.
Reputable asset disposal service providers should develop effective solutions to address everyday challenges, beginning with the risks associated with data loss. Handover of retired equipment should be immediate to avoid the inevitable loss that occurs in IT storerooms. Furthermore, secure reverse logistics with a chain of custody should be provided for each item containing a hard drive and daily trend reporting must be included so that undesirable trends can be identified before they become critical.
Ideally, there should be a project management system that offers the following:
• Develop a secure chain of custody for the assets
• Minimise storage to prevent shortages
• Call centre to schedule hardware collection
• Secure transportation
• On-site data elimination
• Mobile hard drive destruction
• Data destruction compliance certificates
• E-waste disposal compliance certificates
• Asset buy-back
• Trending reporting
• Audit trail
“If your service provider can deliver all this with clear and transparent charges, you are on the right track. However, if you don’t have a service provider that understands that data loss may lead to reputational loss, you may want to establish whether your service provider is an accredited professional.