Apathy, Fear, Suspicion and the SME

Most people work hard and have busy days. Managers and business owners have a lot of things to think about, a lot of rules and regulations to consider, and it all takes time. That is why recycling and the idea of sustainable business is not as high on the agenda as we would like it to be.

EReco sits in a sector fraught with risks, regulations and rules, but the biggest feeling I get from the majority of SME’s I talk to is a strange mixture of apathy, fear and suspicion.

Let me take those three emotional responses in reverse order.

People are suspicious of someone taking away their old IT equipment purely because they suspect that they are missing out on something. It’s not so bad with old wires, keyboards and the like, because they did not cost a lot in the first place and they have been well used and abused, and possibly don't fit the replacement kit which in any case come with new wires etc, but when it comes to desktops, laptops, servers and stuff, the cost kicks in. Remember, this is the man who has just paid to replace this stuff. He knows what it cost him down to the last penny. And even if that pile in the corner is all now redundant, he has this nagging voice in his head that tells him he is giving away money. It makes him reluctant to let go.

Fear is there too. He is no fool. He knows about hard drives, or at least he thinks he does. He does not think there is anything bad on the old machines, he may even have checked, and he does not think any criminal mastermind would be that interested in his old files anyway, but there is a nagging doubt there. He is not really sure what he should do, so he does nothing much at all, except deleting everything he can see.

Which brings me to apathy. Because this is not one of life’s bigger decisions. Not in the great scheme of things. This is redundant kit. If you have bought replacements and you have put the old stuff in a dark corner somewhere whilst your mild fears and suspicions fester, you cannot really be bothered to chase the solution too far. There is no problem hanging on to IT rubbish. It is not decomposing. So unless you need the storage space back, keeping it is relatively risk-free. It is actually easier to do nothing at all.

I absolutely guarantee that if you root around in any business premises you will find a bit of redundant kit somewhere. Damn it, most family homes are the same. I have a Virgin Media box they just left with me when I upgraded to TiVo. It has been at the bottom of my wardrobe for two years for heaven’s sake. And I could just drop that down the dump, for free.

There are thousands of tons of WEEE we could be recycling right now sitting there doing nothing other than take up space. And that is quite important, don’t you think? The idea that our electrical goods can be broken down at worst and reused to make something else is an incredibly good one, but far too often the good message gets lost in the reality of the situation, and that causes fear, suspicion and apathy.

So if you are a slightly nervous, suspicious sort of person who hasn’t summoned the energy to do the right thing with that pile of rubbish in the storeroom, it’s time to buck up. Call me (there are other IT recycling businesses out there, if you really must, but hey, we’ve come this far together, give a guy a break!) and I will sort it for you. It doesn’t hurt, you might get a few quid ahead at the end of the process and you will be doing something good for once.

Come on, you know it makes sense.

http://www.ereco.co.uk

The Proof is in the Filing Cabinet

Every job has its little nuances that no one else is aware of. Little tricks of the trade, or the thing that no one outside of the specialism has ever thought of. For most of us, those are the little stories we love to tell at parties, to impress complete strangers, just before their eyes glaze over and they make an excuse to escape to the loo.

Most jobs are boring of course. Most of the time. There are always bits that we enjoy more than others and sometimes bits that we actively like, but the reality is that most of our lives are mundane and not worth repeating to anyone. Unfortunately, as the devil is always in the detail, it is these extremely boring things which can often get us in the most trouble.

The paperwork trail is a prime example. I shall exaggerate a little here, but the of two million forms I have filled out in my long life only about ten percent were ever read, let alone put to any good use. I am sure I have wasted about a year of my time filling out things no one else will ever refer to again just to fill a filing cabinet that is probably still in storage somewhere, waiting for the statute of limitations to pass by.

The IT recycling sector can drown you in paperwork. There are certificates and processes and lists and forms that you can read until your eyes bleed, and do you know what? The vast majority just get filed away and never see the light of day again.

Why, I hear you ask? Because data security during asset disposal is all about risk management, and the paperwork is your defence, milord. The stuff eReco provides for you during the process, the waste transfer note, the asset list and finally the certificate of data destruction, are only worth their weight in gold when something goes a bit wrong. It is then, when Genghis Khan (our friendly neighbourhood Information Commissioner) is just preparing to torture your first born, that you whip them out and prove that you did everything right.

Which is why any sane individual disposing of a data-bearing device would worry about the paperwork and the little details contained therein. I know I have managed to write over 100 blogs thus far on this stuff, and I know there are a lot of details, but to simplify it down to the bare bones what you need to do is cover your backside, if you are worried about getting a sharp kick at some stage.

Some people do not worry. Many of those do not appreciate the risks...the £500k fine, the prison sentence...because either they don’t understand the risks or they take the view that they are not going to get caught. Now I understand that. It is a bit like speeding in that regard, the vast majority of times you will get away with it. I don’t speed as much as I used to, because actually the risks of getting caught have increased, what with more speed cameras being about, and because I am more risk adverse these days.

Risk management, therefore, at least in this case, is about the paperwork. That the paperwork is the proof of the excellent ethical and data safe job we do is almost by the by. And yet again the quality of the paperwork is paramount.

For instance, you have a certificate of data destruction for a list of assets, identified by serial number don’t you? I do hope you do, because otherwise you are not even on the first rung of the risk management ladder.  Our certs state the software used (Infosec 5 of course) and will satisfy Genghis Khan that you have done all you could. The hordes will return to barracks without your blood on their hands.

But what if the certificates you have do not say how the data was erased? Or they say a lower level of software was used? Or one hard drive off your asset list does not appear, because it went missing somewhere? Genghis will be sharpening the gutting knives...

My party piece revolves around legal documents spewing out of old printers we mend or what we can recover from a hard drive after low-level erasure. I thus have few friends and rarely get invited to parties! Doing things properly costs a bit more. It is actually a bit boring as well. Sometimes we all stop and read the health and safety legislation for some light relief. But what we are doing matters.

The stuff in the file is important, so is what we do to create that paperwork but you never get to see or file that for posterity. We are battling for a sustainable world where our personal data remains private. We are eco data warriors!

Put it like that and we are not so dull after all...

Scrap/Value

Value, like beauty, is in the eye of the beholder. We look at something and think ‘that cost me £400 that did’ and refuse to believe that four years later its worth is around a tenner. We forget that it cost £400 but that is different from what it was worth. You paid about £250 for the little Apple logo for a start or the swoosh, or the Microsoft thing.

I will always remember being on the M25 driving home one evening when my heavily pregnant wife rang me to say that she had been out with her parents and that they had very kindly bought us a pram cum pushchair cum car seat affair. With almost gay abandon she told me that it had cost them almost £700 (in 1999!) just as a beaten up old BMW overtook me doing about 90mph with a sign in the side window saying ‘for sale £695ono’. Worth and value, two very different things.

However, the price of such second hand cars is actually quite a good comparison to second hand IT equipment. You buy your car for say £10,000 and then drive it like a bat out of hell for five years until the clock reaches maybe 70,000 miles and then you get it valued. You know whether you think that price is fair or not. You know if the car is falling apart, or if the clutch is about to go. You expect it to be worth very little. And if it wasn’t working it would not be worth much at all, just scrap, even if you have no idea what scrap value is. It’s just something people say.

But with your old desktop the reverse is true. You know that it is too slow to run the programs you want to use reliably. You know it has started crashing on a regular basis. You know it gets awfully hot if you use it all day. You know it is five years old and was not exactly high spec back then. So having bought a shiny new one which cost you £499 you are naturally not best pleased when some fool like me suggests it will cost you to remove, sanitise and recycle.

Let’s ignore the game changing effect of volume for a minute and look at your average five year old PC in isolation. Yes it did cost you £499 sixty months ago. That is irrelevant to its value now. Has it been well used? Yes, it flipping well has. Was it top of the range when you bought it? No, it was the PC equivalent of the family saloon car. Why are you getting rid of it? Because it is on its last legs and will not do what you want a PC to do now. Ok so now who is the fool?

What people forget is that we have legal responsibilities here. Every business has to recycle WEEE responsibly and prove that they have done so, if necessary. The latter bit is less likely to happen of course but it does not change the regulations or the risk. And every business has to comply with the Data Protection Act. So, you really need some paperwork and you really need to make sure this is going to someone you can trust. But you still don’t want to pay, do you?

You pay for your bins to be emptied. Not the same though is it? I mean paying to get rid of rubbish is accepted, because it’s your rubbish and it is...well...rubbish. You created it and unfortunately you have to dispose of it and so you pay for those bins round the back of the building just like you pay your council tax at home, to have the bins cleared.

This PC isn’t rubbish, it cost £499 remember. Yes it doesn’t work very well and it cannot cope with the latest software you use, but it’s not rubbish. Not in your mind at any rate.

Ok then, you sell it. I really have had customers say this to me. ‘I’ll put it on eBay’. This is the PC that gets quite hot, you’ll recall? The one that crashes? The one that can’t cope with the latest software and you expect to sell it on eBay? And what are you going to do about software, because that stuff on the PC is licensed to you, and although it is transferable, do you want to transfer it? What are you going to put on your new machine? And most importantly of all, what are you going to do about your data on that old machine?

You could, like many people do, just shrug and say you’ll risk it. You could, like many people do, get away with it. Or it could all go a little pear shaped and Genghis Khan and his hordes (the information commissioner to you) could ride over the horizon and fine you up to £500k. In a few months he might even throw you in the chokey too. Given half a chance he will put you on the rack as well, or burn you at the stake.

Sensible people would not sell that PC on eBay. Too complicated, too many potential comebacks. A few would sneak it down the local tip and pretend they were a consumer, but of course the data is still there. The risk is still there. So in the end most people recognise that they have to use someone like eReco. And they still baulk at the cost. Any cost.

Volume becomes crucial here. If you are a big company you dispose regularly and have some sort of routine. Once or twice a year maybe, a nice full van load. eReco charge £900 for a van load, which can weigh up to about 1500kg but we still charge extra for data wiping on top. With these sorts of quantities, we have more scope for getting some value back for you. If your 5 year old PC’s (75 is a about a van load so let’s take that as our hypothetical quantity) pass the PAT safety test we can find a market for even some fairly low spec machines at around £20 each. So we might sell them for £1,500. Our standard agreement is a 50:50 revenue share, so you are due £750 less our sales costs, which might include loading new software for instance. But let’s say for the sake of argument that we don’t have to load any software and you get back your £750.

So now getting rid of a whole van load of waste has cost you £150 + data wiping at £5 which is another £375 on 75 PC’s, so that is £525 or £7 a machine. That is £7 to load it on a van, transport it and log it, wipe it, provide waste transfer notes, asset lists and certificates of destruction, PAT test it and store it until we sell it.

In reality of course, a number of the PC’s would fail the test. A number of hard drives would fail the erasure process and thus would have to be destroyed, so the costs could rise. But as an example it all sort of stacks up. £7 per PC seems like a fair price.

My point being if you have volumes to recycle, cost effectiveness and value for money are relatively easy to achieve. Saving the Earth does not cost the Earth.

But our one PC could end up costing £50 or even a bit more to recycle. And we can only get that low if you are easy to get too on the way back from somewhere else. And that can make the whole process seem unfairly expensive. Which I understand, appreciate and consider. But...

Unfortunately, the same rules apply to all businesses and organisations, regardless of size. You have to do this stuff or risk the consequences (you remember, Genghis; stakes, racks and burning). Which is why these people who offer free collections suck in so many people.

On the volume side, if you are collecting 75 PC’s a free collection is possible. If they do not offer you any cash back (and they won’t) they get £1500 worth of kit. On our cost base, you could do that and still make a profit. Not a huge profit but a profit nevertheless. But if ten of the PC’s failed the PAT test that profit would disappear, and you do not know what state the kit is in before you collect it so this is all done sight unseen as it were.

So, if you were that free service, what would you do? Well the major cost is the data wiping. We charge £5 per drive because besides the labour involved we pay a license fee per drive. But if we did not use the Infosec 5 software, but downgraded to one of the others on the market, which do not charge a few quid per drive wiped, we could save a fair amount. Sure, the data is technically recoverable but you are now into a situation where your risk revolves around your PC falling into the hands of someone with a fair amount of skill and criminal intent. Genghis would not be best pleased if it happened but as long as you had the paperwork, you might survive the experience.

Another cost is recycling within WEEE regulations. You are not allowed to sell stuff to people who intend to whisk it out of the country. Because it may end up in landfill or be used for nefarious purposes. Which is a shame financially because you can sell these guys anything, working or not, for cash. Annoying this sustainability lark sometimes!

So my message for today is that it isn’t about your valuation of the items worth. It isn’t even about the price I quote you. It is about the value of what we do. If you buy into that...if you believe that sustainability is important and that you would much rather your sensitive data was not shared with all and sundry...then the price will be just right.

Small businesses recycling small amounts will pay more, but isn’t that the same with everything?

Doing Porridge for your Data?

During an election campaign it is probably natural to ask ourselves what a government is for? And the answer is to govern...to conduct the policy, actions and affairs of a state, organisation or people with authority...to quote a dictionary definition. Obviously quite a complicated business but when it comes down to it I believe it amounts to setting boundaries.

That is what laws are. You can do this but you cannot do that, and if you do we will punish you. In an ideal world, any government’s legislation should leave its people in no doubt as to how they are expected to behave, everything should be black and white, and we should therefore understand the consequences of our actions.

Data security is regulated but the legal boundaries are anything but clear. Not to the vast majority of people. If you sat your average business manager in a room and asked him what he was supposed to do with the data within his control, he would not have a clue.

To a certain extent that is our own fault. Not many people have ‘check the data protection act and how it applies to my role’ on their to-do list. But they should of course. It would make things so much easier in the long run, especially if the information available was written so that anyone not related to Steven Hawking had a chance of understanding it.

Here’s a thing. An example of what I mean. When you dispose of an old Business PC, you are being governed (that word again) by two sets of legislation...WEEE and Data Protection. One classifies your old PC as waste and therefore it must be moved under a waste transfer note, by a licensed carrier and all that jazz. Not very exciting and we could have a debate about when it becomes waste, but essentially it is, so there, live with it and get a waste transfer note. It is better than a fine.

But the data stuff is trickier. According to the law you are not throwing out an old PC, you are giving away your data. From the moment it leaves your possession, your risk is running around outside of your control and protection and legally you need to show a duty of care towards its security. If you have not and it all goes a bit Pete Tong you are in the firing line of a £500k fine. Very soon you would be opening up the doors of the Scrubs and heading for a six month stretch standing nervously with your back to the wall!

Make no mistake about it; the penalties are serious and getting worse. The misuse of data is taken very seriously in Brussels and Westminster. Mess up through negligence or criminal intent and you can expect to feel the full force of the law and the Daily Mail, not necessarily in that order.

The law is often an ass but in this case it is not. It may not be educating us in how to stay on the right side of it enough for my liking but this idea that you are transporting data is good sense. People disposing of an old piece of kit do not see the data, they see the hardware. They are well used to passwords and network security and they don’t really think about what is on the hard drive. So the law is trying to say ‘hey stupid, remember what’s on there.’

The law is trying to protect everyone. Any data a business holds will involve someone else. It may just be name, address and phone number but in many if not most cases it will include sensitive stuff like bank details, medical records, financial information or even criminal records. So the law reminds you to take care.

Hence the existence of some 800 recycling businesses in this country who will deal with IT or data-bearing equipment. Or at least say they will deal with it. And this is where I get worried about the laws. The fact is they make suggestions without defining what they mean. They say use a specialist partner to make sure but they do not help with that choice. There are no British standards, no Kitemark for data erasure or destruction.

That in itself is not unusual. There are many sectors that have no government standards and quite often the sector gets together to try and set its own. The Press Complaints Commission would be a recognisable example of an industry regulating itself. In our case ADISA or the Asset Disposition and Information Security Alliance, which is an independent body certifying members and setting standards, in conjunction with the government, who do work around the edges.

However of those 800 business less than 40 are certified by ADISA. And only 3 are approved by DIPCOG to work in the MoD/Government space. Now this does not make the other 760 or the other 797 bad of course. It just suggests that in the absence of a national standard they do not see the value of playing the game.

That is a shame. The waters are muddy enough and we could do with some clarity. Because without it, who your data walks out of the door with is rather left to chance. And it is you who will pay the fine, not them. In a few months, when the new European laws get ratified, it could be you, or one of your directors, who gets to do the porridge.