The rise in high-profile data security breaches, along with the impending GDPR legislation, continues to highlight the severity of a data breach and emphasises the need to ensure you are protected against the risk of a potential breach. Many data breaches occur through incorrect disposal therefore it is crucial that you use an ITAD (IT Asset Disposal Company) that will guarantee the complete destruction of your data.
If you google IT asset disposal services you will get approximately 600 organisations, in the UK alone, that claim to provide variations of on and off site disposal. This makes it something of a challenge to find the right partner and avoid the wrong one. With so many ITAD companies claiming to offer ‘similar’ processes it can be difficult to differentiate the services offered. That’s why it’s crucial to ask the right questions to find out if you are choosing the right IT Disposal Company.
So how do you choose which ITAD to use and if you already working with an ITAD, how confident are you with their current ICT disposal process?
Let us guide you with some of the key questions you should ask an ITAD before trusting them with your data.
1. What is your experience in the market?
Check when the ITAD was established and if they have had a successful track record in providing secure IT disposal services. Find out who their customers are and what their customers say about them. The ITAD should also be able to provide you with details of how many items they have processed and/or wiped each year giving you an idea of the size of the operation that they run.
2. What security measures do you take throughout the disposal process?
With the consequences of a security breach being so detrimental, you should choose an ITAD who have security at the forefront of their business. Ask about the security at their facilities so you can be confident that the process is being carried out in a secure environment. Do they have 24/7 manned security onsite, 24/7 monitored alarm system, secure perimeter fencing, secured/locked down entrances? Will they let you visit the facilities? What about the people in the company – are their employees fully vetted? What are their staff training procedures? Are the staff security cleared? What about the security procedures in place during collections? Do they use unmarked vehicles? Are the vehicles GPS tracked and Geo-Fenced? Are the vehicles manned at all times?
3. What software / hardware do you use to wipe/destroy disks?
When it comes to ensuring data is destroyed from redundant media there are a number of different options that can be taken into consideration including degaussing, shredding and erasure. This is one of the most fundamental questions to ask because if the data is not 100% destroyed then you are opening yourself up to a potential data breach. You should ask the ITAD if their process for wiping and shredding data is completed in line with the requirements of CESG HMG IA Standard No. 5 Secure Sanitisation?
4. How do you track the equipment throughout the process and how do you report on it?
Do you know what happens to your IT equipment once you pass it into the control of your ITAD partner? Be sure to use an ITAD partner who provides you with comprehensive audit trails so you know where your equipment is at all times. The audit report is evidence that they have complied with regulations by using asset tracking software to provide complete end to end visibility of each individual piece of equipment throughout the service process. Ask what item information they record i.e. item type, make/model, serial number / asset tag? Will they provide you with proof that the data has been permanently erased by providing you with reports that have been generated by the CESG approved eradication software used? And if the data has been destroyed through shredding, will they issue you with a Certificate of Destruction?
5. Are you registered with the relevant legislation to be carriers of controlled waste?
You need to ensure that the ITAD partner you choose are compliant with the standards required in accordance with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE). Is the waste being processed at a licensed Approved Authorised Treatment Facility (AAFT)? Do they carry a Waste Site License and a Waste Carriers License? You could also ask about their environmental policy; do they have and adhere to an environmental policy complying with environmental legislation such as BS EN ISO 14001:2004? Are they able to tell you what percentage of material from their IT equipment is recovered for reuse and provide a full audit trail of where the waste material ends up?
6. What standards and regulations do you adhere to?
The well-known ISO standards are a good starting point. Have they achieved the ISO 27001 Information Security Management accreditation, verifying that they have systems in place for the secure disposal of redundant ICT and Electrical equipment and secure destruction of confidential data? Note that the ISO standards aren’t a substitute for industry specific standards such as the independently assessed ADISA standard.
Is the ITAD market really as competitive as you think?
We mentioned that there are over 600 organisations who claim to provide ‘similar’ services for IT Disposal. However once you begin to ask questions around their processes you will find that there are only a select few partners who are able to cover all the elements mentioned. Therefore the pool of 600+ organisations is narrowed down making it easier for you to decide who to use and who to trust with your data and IT disposal requirements.
Remember you (the data controller) are responsible for your data. Should anything go wrong, no matter what stage of the process you are at, then you are liable under the Data Protection Act 1998, not the ITAD partner. If you pick a partner that adheres to all of the above points then you can have confidence and peace of mind that your data is safe and in good hands.