Friday, 20 February 2015

Who Says You are Good?

Managing risk can be tricky. For instance, did you know that once you let someone collect your old data-bearing devices, you have effectively given your data away? The risk of that is a £500k fine from Genghis Khan, or the ICO, as he prefers to be called.

This is where managing risk and the actual risk itself diverge of course. I am fully prepared to admit that the risk of your old PC falling into the hands of someone who intends to steal your data is fairly slim. Data breaches happen all the time but malicious intent is much rarer, and obviously very few people get fined for this sort of stuff. The ones that do pay dearly of course, both in cash and damaged reputations, but the risk is not massive.

However, managing risk cannot take the gravity of that risk into account. It is very unlikely a child will get seriously injured playing conkers in the school playground but it is still banned. And thus the sensible manager takes data security seriously and selects an IT recycling partner to collect their stuff.

Both the Bar Council and the FCA agree with the ICO that this is the best policy. They also suggest that businesses should consider having their data erased or destroyed BEFORE it leaves the premises in the presence of witnesses. But most people consider a secure process provided by someone like eReco to be sufficient. The risk is managed because we provide waste transfer notes, asset lists and certificates of data destruction to form an audit trail. If the worst happens and the data is lost or stolen, you can stand before Genghis with your hand on heart and say that you managed the risk and point the finger at your supplier.

Except most people do not quite go the whole hog. To manage the risk properly, and follow the advice given, businesses should contract with a suitable recycling partner but only after doing proper due diligence into their service and facilities. They might have told you that they were good, but how do you know? A quick glance at the website and a phone conversation with Arthur Daley does not quite cut it I am afraid.

To be fair here, bigger businesses often do enter into a contractual arrangement and a lot of public entities only do so after the usual tedious procurement process (and yes, it is tedious, it’s been turned into such a process that you spend a lifetime ticking boxes rather than actually spelling out what you can do for what price). But the simple fact is relatively few businesses create enough IT & WEEE to warrant such an arrangement. For the vast majority, it’s a once in a blue moon need, and it does not justify such diligent due diligence.

And yet every business, large or small, needs to manage this particular risk. The risk itself might be slight but the penalties are career-damagingly high. So we here in eReco land try to simplify things for potential customers.

How, I here you ask, not to mention why?

Well how is fairly simple. We are accredited by ADISA, with independent inspections to prove our processes and security. We have ISO 9001 and ISO 14001, and we are registered with the ICO. We have all the recycling licences we need, and we have just been DIPCOG approved to work in the MoD and government space. Very few other companies can boast of that little lot. 3 tops. Out of 800 or so I believe.

Why? Because not everyone can come down to East Grinstead and have a look at us properly. We would welcome you all, despite the cost in Nescafe and Digestive biscuits, but we know you just haven’t got the time, so we seek third party proof that we do what it says on the tin. Of course all of that costs money (...really resisting the temptation to rant about free again...) but it should offer reassurance to prospective clients that we wear brilliant white hats and only shoot when it is really absolutely necessary.

Most responsible businesses, regardless of their sector of operation, seek some sort of third party accreditation, be it a kitemark or just reviews from customers.

Personally, if I don’t see anything of that nature on a website, I am suspicious.

So my advice to you would be ask questions. Test the ground. There is nothing we say that we are not happy to explain, justify or prove. There is nothing we do we will not show you.