Information and Compliance Officers are FREAKING OUT Over Non-Compliant Old PC's That are Piling up in Storage

Bridgette Vermaak is Head of ITAD department at Xperien, she has vast skills and experience in her field of expertise. Her passion has always been to improve the lives of others, both humans and animals, initially considering a career as a veterinarian. However, she opted to rather pursue and study for a career in IT and she soon found her niche - specialising in IT security. This enabled her to pursue her passion to make a difference by improving security for users.

Her 'dream job' came with the realisation and introduction of IT Asset Disposal (ITAD). She gained valuable skills in the importance of Secure & Compliant IT asset disposal and effective destruction of data. Bridgette was also given the opportunity to utilise redundant corporate IT equipment to benefit NGO's, making a difference in more ways than one.

Listen to a 12 min interview with Wale Arewa by on "Information and Compliance Officers are FREAKING OUT Over Non-Compliant Old PC's That are Piling up in Storage"

It used to be the case that companies would dispose of old computer equipment any old way - pile it up in storage, refurbish it, sell it off to staff or second-hand retailers, or - if the equipment was too old to be of any value - simply dump it in a landfill.

That’s no longer an option, since the POPI (Protection of Personal Information) Act came into being. All those old hard drives usually contain vital client that must be removed in a manner that is compliant with the act. Simply pushing the “Delete”button won’t do it. Nor will running a magnet over the old hard drives in an attempt to erase data. Even using the old hard drives for target practice (yes, that has been tried too) or drilling holes in them will not satisfy the prescriptions of the POPI Act. Nor does factory reset encryption.

Here’s an actual example of the kind of POPI violations that could land executives in jail or leave the company with a R10 million fine: in downtown Johannesburg, scores of old hard drives were found being sold on the street. These hard drives were either stolen by company insiders, or disposed of by the company themselves. What the buyers were actually looking for was client data: ID numbers, credit card information, bank account details and anything else that might be of value.

Don’t believe this does not happen. Criminal syndicates are forever seeking ways to get their hands of your client data and will pay R200 to a staff member to remove a hard drive and hand it over. That old hard drive sitting in storage and gathering dust could be worth millions to someone who knows how to access the data. Syndicates will pay cash for hard drives, but what they really want is the information, particularly from companies in the financial and insurance sectors.

Last year financial services group Liberty announced a massive data breach that is reckoned to have cost millions to fix (even though no clients reportedly lost any money).

The hidden costs of storing old computer equipment

Thousands of SA companies are disposing of old computer equipment by putting it in storage. The problem with this is that storage costs money. The longer the equipment is in storage, the more it costs. Then there are the insurance costs. But the biggest potential cost is the risks of falling foul of POPI and exposing client or company information to unauthorised access. Simply dumping old equipment in landfill sites does not satisfy the requirements of POPI because of the environmental risks of placing lithium and other toxic materials in the ground.

The PoPI Act is designed to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise your personal information in any way.

“They stockpile old hardware wherever they have some free space, and that’s driving up costs,” says Fredrik Forslund, vice president of enterprise and cloud erasure solutions at Blancco.

Many companies are still struggling to come to grips with the implications - and risks - of violating the act. One company was found to have a decade-worth of old computer equipment stockpiled in a disused room. Nobody managed the store-room facility, making it an easy target for thieves. Nor did the company have any documentation or itinerary of the equipment in storage. The hard drives were found to be loaded with client data.

This is far from unique. A Veritas Global Databerg report found that 85% of stored data is either dark or redundant, obsolete or trivial. This is a huge problem in the making in light of the POPI Act and other international data protection laws. Companies can no longer afford to ignore the risks.

Source: Blancco

The proper solution to disposal of old computer equipment

Xperien is a company with a 20 year track record in the refurbishment and disposal of old computer equipment in a way that is fully compliant with the POPI Act. The safe erasure of data is carried out using a specialised tool called Blancco, which is recommended by IT consulting firm Gartner as one of the most suitable tools for this purpose. This is done either on site or removed under strictly supervised and secure conditions for off-site handling. Once the data is safely erased, the client company is issued with a POPI-compliant certificate to this effect.

In one recent case, Xperien was contacted by a company with years-worth of old computer equipment piled up in storage. We sent in three teams and a few trucks, carried out a full inventory of the stock, and removed the data off the hard drives (those that weren't stolen). The company was presented with a full inventory report detailing the equipment age and specs - including what was missing. The company was then able to receive a financial return on its old equipment, including a certificate of proof that it was POPI compliant.

Improve the return on investment on old equipment

Most companies retire their computer equipment after 3-5 years. This equipment has a typical residual value of 10-20% of the original cost. That residual can quickly devalue the longer the retired equipment is kept in storage. There are broadly three options available to companies contemplating the disposal of old equipment:

  1. Sell the equipment outright to a company like Xperien, and recover the residual value which can then be put straight back into the company’s IT budget. This would include the certified erasure of client data from hard drives.
  2. Xperien refurbishes the equipment, after erasure of the data, after which it is available to company staff for purchase at beneficial prices (often up to 75% of the original cost, depending on the condition).
  3. Donate the refurbished equipment to schools and orphanages as part of the company Corporate Social Investment programmes, and claim the tax advantages in terms of the Income Tax Act.

The financial case for data erasure and asset disposal

In most cases, companies don’t even have to find budget for disposal of equipment and erasure of data.

Here’s a typical example: if computer was originally bought for R10,000 three years ago, it will have some residual value. The client will conservatively get 10% of this back, or R1,000. For that, Xperien ensures that the data is removed in a POPI-compliant manner, with the client receiving a certificate to prove that it has been removed. In some cases, clients require video evidence of the erasure of data, which is also a service provided by Xperien. This is generally done on site. If the equipment is removed from site, this is done using Xperien’s own security and transport so as to authenticate the chain of disposal.

Do not sweat your IT assets. Use the residual value of the old equipment to reduce the cost of new equipment and get free data erasure certificates.

Get creative and you can save more than 35% on your new IT budget.

Financing options

Xperien, through its Case Study

  • Our customer a Healthcare provider since 2011
  • Purchased 556 CRS laptops in 2018
  • Model Dell E6430 i5 for R3099 each
  • Cost of new alternative R6 925 000
  • We also brought back old laptops we supplied 3 years ealier for R750 (15% residual value) as deposit for a Continuous IT Lifecycle Solution

Powered by