New act requires accredited IT asset disposal
With the imminent appointment of the Information Regulator for the Protection of Personal Information Act (PoPI), companies need urgently to upgrade their information technology security systems.
Business executives responsible for IT asset management need to understand the principles of IT asset disposal by considering regulatory compliance and the protection of company information. The enactment of PoPI will lead to fines, civil claims and reputational damage for firms failing to comply.
Xperien CEO Wale Arewa says companies should be cautious when appointing asset disposal service providers as few companies in SA offer IT asset disposal as a core function.
There are about 50 operators in the industry, but they range from scrap metal dealers and printer-repair companies to moonlighting managers.
The new act requires that companies find service providers with reporting systems and immediate access to information such as assets already disposed, asset values, data-destruction certificates, environmental disposal certificates and service costs.
Reputable asset-disposal service providers should develop solutions to tackle challenges including the risks associated with data loss that could have detrimental effects on companies. Retired equipment should be handed over immediately to avoid the inevitable losses that occur in IT storerooms.
Secure reverse logistics with a chain of custody should be provided for each item containing a hard drive. Service providers should also supply packaging, secure transport, onsite data elimination, mobile hard drive destruction; and issue data destruction and eWaste disposalcompliance certificates.
The influx of new technology creates a corresponding and often overlooked increase in decommissioned IT assets. As a result, outdated laptops, desktops, LCDs, servers and other IT equipment tend quietly to pile up in storage.
Arewa says this is a good time to schedule year-end data destruction and asset disposal to recover residual value from redundant IT equipment that should equate to about 10% of the original purchase price for assets that are five years old.
When appointing asset disposal service providers, it is critical to check for accreditations including ISO9001, ISO14001 or membership of professional bodies such as the International Association of IT Asset Managers. A company’s liabilities are not transferable to the service provider.
Arewa says companies can offset the cost of a secure IT asset disposal programmes by realising there are potential savings. Technology should be retired wisely by finding a third-party specialist with experience.
The company should provide documentation describing the disposal process.