As businesses in varying industries, including waste and recycling, are introduced to new technologies, they are challenged with disposing old IT assets when refurbishing or recycling is not an option. These companies must do so not just in an environmentally friendly way but also while protecting the data stored on those machines.

Another challenge includes complying with regulations like the new California Consumer Privacy Act of 2018 and the European Union’s General Data Protection Rules (GDPR). Both emphasize the importance of access and transparency and include opt-in and opt-out provisions. The GDPR, in contrast, has broader reach and is more detailed in implementation requirements, according to Mary Couse, marketing communications manager for Ingram Micro Commerce & Lifecycle Services.

The California Consumer Privacy Act states that consumers have the right to know what personal information (PI) a business collects about them, where it was acquired, what it’s be using for and whether it may be disclosed or sold. The GDPR is a comprehensive set of rules around how data is collected, secured, managed, processed, retained and deleted, says Couse.

Managing asset disposition in compliance with these and other regulations can be a challenge for waste and recycling companies. That’s where companies like Irvine, Calif.-based Ingram Micro Commerce & Lifecycle Services’ ITAD group, a worldwide provider of enterprise IT asset disposition (ITAD), lifecycle support, onsite data destruction and e-waste recycling services, may be beneficial.

The company aims to reduce the risk, cost and complexity associated with securely managing IT assets throughout their lifecycle in compliance with environmental and data security regulations. With the ability to provide service in a portfolio of more than 80 countries, Ingram manages the asset chain-of-custody to provide secure and sustainable reverse logistics solutions for more than 1,000 customer organizations.

Waste360 recently sat down with Couse to discuss data security and IT asset disposition and its potential benefits to the waste and recycling industry.

Waste360: What happens when a company needs to replace or recycle technology assets that sensitive data is stored on?

Mary Couse: It is essential that assets removed from service have all resident data promptly destroyed. Assets must be secured from the moment they are taken out of service until the data is eradicated, either before it leaves the facility or at an ITAD provider’s facility after secure transport.

Clients in regulated industries often choose to have sensitive data destroyed before it leaves their facilities by using our Onsite Data Destruction Services. We can erase, degauss, physically shred or pulverize media devices while the client watches, then securely transport them for further processing at an Ingram Micro Processing Center.

Regardless of where the actual destruction processes take place, certified IT asset disposition providers use proven, internationally recognized erasure methods, products and protocols and provide a Certificate of Data Destruction tied to the serial number of each device, whether that device is recycled or remarketed.

Waste360: How can those companies ensure that the data is handled appropriately to meet the current requirements?

Mary Couse: To ensure all data security protocols and requirements are met, most companies choose to contract with an experienced, certified IT asset disposition provider—one who (once again) uses proven, internationally recognized erasure products and protocols and one who will provide a Certificate of Data Destruction tied to the serial number of each device, whether that device is recycled or remarketed.

Waste360: How can companies like Ingram Micro help fill in the gaps on how they stay compliant with the new laws as they begin to replace or recycle their old technology?

Mary Couse: One of the many benefits our ITAD group provides to companies is the assurance of compliance with all laws, regulations and standards surrounding data destruction and recycling. We do this by maintaining specific control systems, quality management systems, information security management systems and environmental management systems to ensure compliance with data security and environmental laws, regulations and best practices. These systems are regularly audited by third-party agencies.

Waste360: How do these new laws or regulations, like the California Consumer Privacy Act and the GDPR, affect IT asset disposition?

Mary Couse: When it comes to removing assets from service, prompt data erasure is essential to eliminate any possibility of a breach. To sanitize assets and be GDPR compliant, you must use methods and follow processes that have been shown to be effective, and you must be able to provide formal, written documentation to regulators to confirm data has been erased from all devices.

The bar is lower for the California Consumer Privacy Act, which says a business must have reasonable security procedure and practices but doesn’t say what those would be or how they should be measured.

Without a codified standard, businesses should follow industry best practices, which, for end-of-life processing, includes adherence to existing certifications like ISO 27001, particularly when held by an ITAD provider who classifies personal data as an information security asset and keeps records of all processing activities.

Waste360: How does this affect the waste and recycling industry?

Mary Couse: We route assets that have no further value and cannot be refurbished and resold to our in-house demanufacturing operations. Once IT equipment is disassembled, the resulting materials are aggregated and sent to established, audited downstream recycling partners for processing back to feedstock.

The data security portion of the ITAD process takes place before demanufacture, so GDPR and the California Consumer Privacy Act have no impact on downstream e-waste recycling companies.

We route aggregated materials from our in-house demanufacturing operations to a select portfolio of vetted downstream recycling partners for further processing.

As a certified e-Stewards Recycler in the U.S. and an R2-certified recycler outside of the U.S., our processes and downstream partners are audited at least annually to ensure ethical and compliant recycling.

Ingram Micro Commerce & Lifecycle Services’ ITAD group complies with all global standards, laws, regulations and best practices; strictly controls all exports of electronics equipment, working or not; actively monitors the downstream disposition of all hazardous waste throughout the supply chain; and provides full downstream transparency and auditability.