Monday, 5 January 2015

New Year's Resolution's

Here we go again.

It is the same every year. Except last year I finally did crack smoking. So, now it’s just drink a little less, eat a bit better, stop shouting at referee’s (even if they are wrong and what you say is factually correct) and be a little more patient (even with idiots). Normally I have broken every single one by the end of the first week in January and I forget about it all for another year.

However, in business we have to be a little more resolute. Data security is one of those tiny business concerns which we should pay more attention too. I am most interested in the asset retirement end of things of course, but we should all pay close attention to the subject from the beginning right through to the end of life.

In truly big businesses these days, data security is a responsibility. There will be a nice little job title somewhere that encompasses it...Information Officer maybe...and that will report into a main board member to give at least a suggestion of interest at the top table. At this level, data breaches are very serious indeed, because the chances of getting named and shamed are far greater. Take the Sony stuff exposed last year, if the stolen emails had concerned Maureen from the Liverpool office and not Angelina Jolie, I doubt if it would all have stayed in the headlines for so long. Big names guarantee big publicity, good or bad, and then Genghis Khan, our beloved ICO, wades right in and decapitates someone with a very large fine. Or a Scimitar? He has one of those, right?

And big businesses are set up to do things by the book, or at least appear too. They have precise documented policies for most things and although things clearly go completely Pete Tong every once in a while they certainly know what they should be doing.

But 98% of businesses are not big. However you define a SME (The standard these days seems to be less than 250 employees and/or £11.2m turnover to be classified as medium, according to HMRC at any rate. To be considered small you are less than 50 employees with a turnover of less than £2.8m) they do not have an Information Officer. They do not have a Health and Safety Officer either or lots of other titles that are born out of regulatory diktats. Instead, someone has a role which encompasses those things. HR maybe, or facilities management. As you go down the size ladder those things will not exist, either.

Keeping up with the regulations and staying nicely compliant is not easy for a big business with the manpower to devote to the subject, so pity the poor harassed senior manager in an SME trying to make sense of things on a part time basis. It is no wonder it goes horribly wrong. But the reason data security is treated like this is our attitude to the issue.

So huge potential fines and public shaming have not forced businesses to take data seriously. What I think is happening is that a lot of well-intentioned people, from the ICO to lots of interested parties who are trying to encourage best practise, have very academic meetings discussing lots of really important things, but no one ever takes the time to sit down and tell 98% of all the businesses in this country what the hell they should be doing.

I have been the MD of an SME, admittedly with corporate ownership, but they were Swedish and it just isn’t the same. I remember the frustrations of not having simple instructions on what we were expected to actually do. You know the feeling...the rule seems to say that you have to do something really hard and severe, but when you dig into it and ask the right questions of the right people it turns out that you can work around it.

What we need is simplicity. Do this. Do not do that. So, for your convenience, I am going to simplify your asset disposition policy for you. I like simplicity. If you can tick all these boxes, you will not go far wrong. I promise. Even if you do not get eReco to help you, this is your chance to get ITAD right in 2015.

  1. Gather as much information about what you intend to dispose of as possible. In choosing a supplier, you will need to tell them this, and they in turn need this information to give you a proper estimate. Model numbers, condition, age help tremendously. A good ITAD partner will take everything including the absolute rubbish, but you want to know if you have anything of value so that you can do the best possible deal for you.
  2. If you do not have an ITAD partner already, get 3 quotes. You know this, it simply makes sense, but do remember that it is not always about price. Ask about how they do things and why.
  3. Whilst asking for a price, request an explanation of the process and any options. Remember that your data is your responsibility so you need to be sure it is kept safe, right from the moment your service partner gets involved. Options should include data erasure or destruction on site in your presence, or secure transfer to a secure facility. You should get waste transfer documentation on collection, not 30 days later. Even if you cannot get there, ask if you can visit the facility. If they do not want to show you, maybe they have something to hide?
  4. Ask about the data erasure process. There are standards. You should receive a certificate of destruction during the process. Ask about your prospective partner’s insurance cover.  Get them to explain it to you. Ask what software they use and who approves it. Google it.
  5. Ask about accreditations. Ask about ISO’s. In themselves, these may not mean a lot to you but there are several meaningful accreditations in this sector and a couple of no brainer ISO’s that once you know what they are it is pretty obvious an ITAD company should have.
  6. Ask about the environmental side. Does anything get sent to landfill? Does anything get sent abroad that may then end up in landfill? Will they take all your waste, or are they just going to cherry pick the stuff that has value and turn their nose up at the rest?
  7. Examine the quotations closely. If someone is offering to collect your equipment for free be sure you understand where they see the value. Not only to make sure you get some of that value but so that you can understand what costs are going to be applied before any remarketing revenue is shared with you. If they are collecting for free and not offering you any cash back, go back to points 3 and 4 and ask yourself how they are paying for those vital services if there is no value in the equipment.

I cannot tell you which option to choose, the cheapest or the safest or the greenest. I can but remind you that the price does not always equal the cost and that you should be looking for the best balance of all three. Your legal responsibility is to dispose of any electrical kit responsibly in line with WEEE regulations and to keep your data safe. How you do that is your choice.

Just remember that there is no such thing as a free lunch.