IT Asset Disposition (ITAD) is of increasing importance to technology governance teams, including ITAM teams.
Recent high profile court cases have shown the considerable impact breaches of ITAD-related legislation can lead to, including fines, class action lawsuits, and negative reputational impact.
ITAD is also a prime example of the emerging focus area of third-party technology risk. Whilst the regulation breach may be downstream at your ITAD partner or their processors, if your e-Waste is involved you are also jointly liable. In a recent Webinar co-hosted by the ITAM Review and Dynamic Lifecycle Innovations, we discussed how third-party risk is addressed in several standards that have been developed by the ITAD industry and global standards bodies. Some of these standards are industry-specific, while others are more general and focused on quality management and environmental compliance. This article provides a quick guide to these standards. By consigning your e-Waste to an accredited partner, you add a layer of certainty and assurance to your recycling programme.
In continuous development since 2005, R2 (Responsible Recycling) is currently in its third iteration (R2v3), released in 2020. Existing R2-certified ITAD facilities will migrate to this new standard by 2023. R2 is administered by SERI, a US-based non-profit. It is developed by a multi-stakeholder team and SERI is an . Almost 1,000 facilities in 33 countries worldwide are now certified and you can search for an accredited facility here. For more on R2 see the standards library.
The National Institute for Information Destruction (NAID) provides a certification program for their members. The standard was first developed in 2000 and now over 1000 facilities are certified worldwide. The certification is developed and managed by i-Sigma, the trade association for secure information lifecycle management. As such, this standard goes beyond electronically-held information and also applies to secure document destruction. It is important to note that an organisation claiming NAID membership is not necessarily NAID AAA certified. To search for a certified facility, visit the i-Sigma website and select the “NAID AAA Certified Members” filter.
e-Stewards certification was introduced in 2009 by the Basel Action Network (BAN). The BAN was founded with the aim of improving recyclers adherence to the Basel Convention, a UN treaty governing hazardous waste movements which came into force in 1992. E-Stewards certified facilities audited annually by independent third parties. Part of e-Stewards certification requires recyclers to have an ISO 14001-compliant environmental management system in place. Over 1000 facilities are e-Stewards certified worldwide.
ADISA’s IT Asset Recovery Certification, recently updated to version 8, is a UK-developed global standard for ITAD providers. The current version of the standard is approved by the UK Information Commissioner (ICO) as a UK GDPR certification scheme. For more about the standard visit the ADISA website here.
ITAD providers provide further reassurance to customers by seeking accreditation against one or more of three global ISO standards.
ISO-9001 – Quality Management
ISO-14001 – Environmental Management
ISO-45001 – Health & Safety
The industry standards all draw on some of the requirements of these standards so they can be seen as complementary. For example, R2 & e-Stewards both have requirements around worker Health & Safety, and clearly both standards are concerned with environmental management. However, the widely adopted (over 1 million organisations worldwide) ISO-9001 standard is the one which plugs the gap somewhat in the industry-specific standards. By providing a general-purpose quality management system it ensures that performance against the standards is maintained and independently verified. Certification to these standards is renewable every three years.
Annual compliance checks are a continuous and costly affair for ITAD providers. At our recent webinar with Dynamic Lifecycle Innovations, it was estimated that per-facility costs are around $100,000 per annum. Additionally, facilities need adequate cyber and environmental liability insurance in place, with premiums typically in the range of 2% of the total cost of waste processed. For an average-sized facility that equates to an additional cost of $200,000 per year. Undoubtedly recent court cases are putting upwards pressure on these costs. For example, Morgan Stanley were fined $60m in relation to improper disposal of IT equipment in 2020, and Home Depot $28m in 2018. These are substantial fines, and likely to be much higher than the settlement costs we as IT Asset Managers might see in a software audit.
In selecting an ITAD provider it is vital that you confirm they are accredited to one or more of the standards listed in this article and that they also carry adequate insurance. As e-waste consigners, your organisation is jointly responsible for ensuring that it is processed in compliance with the Berne Convention and other standards such as WEEE.
As IT Asset Managers we may not be directly involved in selecting an ITAD provider but we are undoubtedly a key stakeholder. Having the right ITAD provider enables an ITAM team to become involved in activities of increasing importance to senior leaders such as sustainability and social value.
For further information see our free on-demand webinar.