With the imminent appointment of the Information Regulator for the Protection of Personal Information Act (PoPI), companies urgently need to upgrade their information technology security systems ahead of the implementation of the Act.
Business executives responsible for IT asset management need to understand the principles of IT asset disposal (ITAD) and they need to consider regulatory compliance and the protection of company information. They will soon face massive fines, civil claims and reputational damage if they fail to comply.
Local asset disposal specialist Xperien CEO Wale Arewa warns that companies should be extremely cautious when appointing asset disposal service providers. “Very few companies offer ITAD as a core function. There are about 50 operators in the industry offering ITAD services but they range from scrap metal dealers, printer repair and service companies to managers supplying after hour services and moonlighting to their companies.”
Arewa says until now, the closest regulation for asset disposal is the code of ethics bestowed on members of the eWaste Association of South Africa. “ITAD will soon be regulated by the Protection of Personal Information (PoPI) Act.”
“What could one expect from a professional service provider and how transparent are they? You would at least expect a reporting system and immediate access to information such as assets already disposed, asset values, data destruction certificates, environmental disposal certificates and service costs,” he explains.
Reputable asset disposal service providers should develop effective solutions to address everyday challenges beginning with the risks associated with data loss. Handover of retired equipment should be immediate to avoid inevitable loss that occurs in IT storerooms.
Furthermore, secure reverse logistics with a chain of custody should be provided for each item containing a hard drive and daily trend reporting must be included so that undesirable trends can be identified before they become critical.
Asset disposal service providers should offer a secure chain of custody for the assets, have a call centre to schedule hardware collection, provide packaging and secure transportation. It should also provide onsite data elimination, mobile hard drive destruction and issue data destruction and eWaste disposal compliance certificates.
“They should also offer asset buybacks and also provide trend reporting with a detailed audit trail. If your service provider can deliver all this with clear and transparent charges, you are on the right track,” he concludes.