Pillars of a Successful Global ITAD Program

By Sean Magann

When a device is upgraded, replaced or no longer needed, IT managers play a critical role in ensuring data destruction and legislative compliance. It is important to have a strong plan in place so that when IT assets are moved, packaged or transported, there is no chance for any gaps in security.

“ITAD is the last stage [of the ITAM process] and too often becomes an afterthought; a “necessary evil” that carries with it significant risks without a thorough, detailed, end-to-end process that is consistently executed throughout your enterprise,” noted Gartner, Inc. in the Gartner Market Guide for IT Asset Disposition, July 26, 2018.

ITAD as an afterthought and without proper planning and budgeting, can leave companies in a vulnerable position and open the door to shortcuts and bad decisions. Residual value of retired IT assets can offset overall disposition costs, but a plan needs to be in place to ensure proper disposition costs (including data destruction) are properly funded.

What Does Success Look Like?

Companies we have worked with will typically seek a combination of four things when managing retired IT assets and electronics:

Compliance

Whether or not a company is publicly-traded, or operates in a highly regulated industry, it will be important to have detailed audit trails that document how IT assets are disposed and how data is systematically destroyed.

Defined and repeatable processes, audit trails, standardized processing of equipment and certificates of data destruction have become mainstays in successful ITAD programs. This standardization ensures that companies can demonstrate data has been safeguarded and destroyed in a systematic and consistent manner, compliant with required legislation.

Data Security

Many companies require that all digital data be destroyed while assets are still in their custody. This eliminates the small risk of devices getting lost in transit. If instead data is destroyed at a vendor location, having a secure and defined chain of custody as the data bearing asset is moved from the company’s location to a secure facility is critical.

The importance of a standardized and documented process cannot be overstated. Questions about data breaches from retired IT assets seldom surface immediately. If a stray hard drive with data is discovered five years down the road, the key to minimizing liability will be the company’s ability to demonstrate that they have taken prudent precautions when the asset was retired and disposed. Being able to produce documented processes and proof these processes were consistently followed will be important deciding factors. Certificates of data destruction and consistent audit trails are important proof points.

Value Recovery

In today’s market, there is a fee for most recycling services. The value of recovered precious metals is not high enough to offset service charges. If assets are functioning and can be resold instead of recycled, it is possible to offset transportation and data destruction costs through the resale of assets.

Variables that will impact final program structure include:

  • Where assets are located
  • Number, type, age and condition of assets
  • Asset tracking and reporting requirements
  • Data destruction requirements
  • Support services – account management and technical services
Sustainability

Reusing IT assets decreases the need to manufacture new products. Recycling broken and obsolete electronics facilitates the recovery of commodity materials, which can be used to make next generation products. These closed-loop approaches are consistent with the circular economy model.

Bringing it all together

Global companies prioritize data security and compliance goals. Many companies have had their brand reputation damaged from news reports on data breaches and the illegal or irresponsible dumping of e-waste and hazardous waste. As much as possible, global companies seek to operate to a standardized program, across all locations, with recognition that regional differences need to be accommodated.

Developing a Global Plan

Change has to be championed from a centralized point. Disposing of assets has to be consistent with corporate data security policies and regulatory requirements. Centralized guidance with decentralized control is key for a truly global program.

Start with a list

Identify approximate number of assets, by country, by age, by type. Which assets are data bearing and need special handling? Any vendor will need to understand where assets are located, how data bearing assets will be handled, and will need basic information on asset condition and age to determine if assets can be reused or if they will be recycled. Some companies have detailed asset information, others have more basic information.

TIP: Clients typically decide on some type of asset classification to simplify handling and logistics. Some clients classify assets as data bearing or non-data bearing. Other clients designate assets based on final disposition, such as reuse or recycling.

A few samples of lists we typically see are shown below.

SPECIFIC ASSET LIST
Country City Equipment Make Model Serial No. Asset tag RAM Hard Drive Yr. Mfg. Condition
UK Ashford Desktop Dell 745 123HJ34 1234 4G 500G 2012 Good
UK Ashford Desktop Dell 745 123KJ34 4567 2G 500G 2012 Poor
LESS SPECIFIC ASSET LIST
Country City Make Model Type Quantity
UK Ashford Dell 745 Desktop 44
Germany Frankfurt Dell GX620 Laptop 80
GENERAL ASSET LIST
Country City Type Quantity Reusable Need Repair Recycle
UK Ashford Desktop 50 20 20 10
UK Ashford Laptop 80 40 20 20
UK Ashford Misc Parts 2 pallets All
VERY GENERAL ASSET LIST
Country City Type Quantity
UK Ashford Desktop 50
UK Ashford Laptop 80
UK Ashford Misc Parts 2 pallets
High-Level Goals

1. Understand how regulatory requirements and corporate compliance impact ITAD programs. These will impact the company’s decision on how data will be destroyed and how assets will need to be tracked (by asset, by pallet, by shipment).

  • What data privacy regulations or industry legislation apply to the company?
  • Do any of the company’s risk management policies apply to the ITAD program? Should they?
  • What is the company’s data privacy policy? Does it specifically address disposal of data bearing assets? If not, should it?
  • What can be standardized globally and what still needs to be under local control?

2. What information will the company want each location to capture and report? This will impact financial reporting, asset lists (make, model, serial number, asset tags) and final disposition of assets, confirmation that data has been destroyed and audit trails should they be needed for any future litigation.

TIP: Management might consider ranking each location on a maturity and risk curve. Have best practices been adopted? Can exceptions be made to account for local differences? Which locations put the organization at a high risk?

3. Determine how the program will be budgeted. This will be a question asked by locations with independent profit/loss responsibilities.

Initial Steps

4. Develop draft processes and guidelines for how assets should be handled.

  • What political battles will be presented and where? How can these differences be managed?
  • How can these processes ensure all locations meet corporate policies?

5. Identify responsible person at each location
6. Allow initial review of processes and guidelines by responsible person at each location.

Vendor Selection

7. Either through research or RFI, establish short list of qualified vendors. [Reference Gartner List] 8. Through RFP process, select preferred vendor. [Reference RFP template]

Prioritize which sites first

9. Pilot at single location and refine processes. Finalize reporting requirements.
10. Finalize processes and guidelines
11. Identify locations/countries that are most at risk for not being able to account for retired assets. Identify locations/countries that are most susceptible for data risks.
12. Develop a staged localized implementation plan. This may be based on what locations represent a high risk to the company, who is a willing participant, if a location is going through a refresh or decommissioning project, or on a country-by-country basis.

Roll out to other locations

13. Adjust for local conditions as appropriate. Legislation will vary from country to country.
14. Set goals for measurement.
15. Reinforce the positive outcomes as a result of the change.
16. Communicate processes and why they matter.
17. Offer training and coaching as needed.
18. Remind locations of penalties for non-compliance and that shortcuts are not acceptable.
19. Review reporting and confirm there is a system in place that provides documentation and audit trails if there is ever a need to validate your program.
20. Understand sustainability or carbon emission reduction goals.
21. Understand how the ITAD program can yield positive sustainability results.

Continuous improvement

22. The program must address continuous improvement. ITAD managers must challenge locations and selected vendors to drive innovation and improvements in their ITAD program.

What workflow steps make sense – initiate, review, approve, implement

Finding the Right Vendor 

In addition to realigning internal resources and processes, Managers must also work with a vendor capable of supporting an integrated global ITAD program. Considerations might include:

Compliance

  • What reporting is provided that supports audit trail requirements?
  • Do they have the certifications that the company deems relevant in providing a service for your company? (Certifications typically focus on environmental, safety, security and systematic handling of assets.)
  • What business continuity assurances do they offer?
  • What protections do they offer? (Pollution insurance? Cyber insurance?)
  • How do they handle transfer of ownership?
  • Will the IT vendor securely handle IT assets to ensure privacy and regulatory compliance?
  • Are vendor’s operations transparent and verifiable? (Do they allow client audits? Facility inspections?)
  • Does the vendor provide complete reporting and is it easy to access the information? What reporting can they provide to support chain-of-custody demonstrability?

Compliance and Data Security

  • Do they have written and defined processes, procedures and guidelines in place to ensure safe and secure handling of your assets?
  • How do they ensure a secure chain of custody when handling assets?
  • What security measures are implemented at their processing facilities? During transport? How do they ensure chain-of-custody of assets?
  • When assets leave my facility, am I confident that the company managing my assets will protect my data and my corporate reputation and brand?

Data Security

  • How do they handle data destruction and physical handling of storage devices?
  • Are asset handling processes secure and clearly defined by my vendor to ensure data security? Can they meet my corporate data security requirements?
  • What types of data storage media can they destroy? How?
  • How do they prove all data is destroyed?

Data Security/Value Recovery

  • How does the vendor manage transportation to ensure security yet balance cost considerations?

Value Recovery

  • Do they support reuse/resale of IT assets?
  • Do they support recycling at their owned and operated facilities?
  • Will they sell all assets in a timely manner and at an acceptable price point?

Sustainability

  • What is the vendor’s record in proactively participating in the circular economy and helping company’s achieve sustainability goals?
  • Is environmental responsibility a driving force with my vendor? Does the use of subcontractors compromise my vendor’s accountability?
  • Am I confident that hazardous waste is managed in an environmentally compliant manner?

Global

  • Does the vendor have the capability to support all/most of the company’s locations? Seldom will you find a vendor whose footprint mirrors a company’s locations exactly. Do certain vendor capabilities better align to your locations? How will they support your locations if no nearby facility?
  • Would the company be better served having regional programs or a single vendor for each location? This question will be dependent on footprint and corporate risk management.
  • What experience do they have in managing global accounts? Public companies? How does their size compare to the company’s? Do they have a proven track record? The last five years have seen consolidation of vendors and many going out of business.
  • Can the vendor ensure all assets are handled consistent with country regulations governing data destruction and e-waste disposal? Can they support billing and tax obligations per country?
  • Does vendor have reliable logistics support to safely pick up and transport assets?

Service

  • Is the vendor able to properly handle the range of IT assets and electronics that the company uses?
  • Are services and logistics convenient?
  • Can vendor provide online access for order entry, order processing and final reports?

Most global companies will go through a formalized ITAD vendor selection process. This can help companies manage an ITAD program that can ensure secure data destruction, environmental responsibility and maximum value recovery.

About the Author

Sean Magann is the Global Vice President of Sales & Marketing at Sims Recycling Solutions.