Should end-user organizations require their ITAD vendors to be certified?
Highlights:
• Certification of an ITAD vendor is a minimum requirement for large enterprises who wish to ensure best practices of security, environmental stewardship, health and safety.
• Some enterprises may opt out of certification if they have their own strong diligence and vetting program in place.
• Decentralized ITAD programs without strict requirements around data security, audit trails, and what happens to the equipment put the enterprise at risk.
Rike’s Assessment:
In the enterprise case, especially large enterprises, yes, absolutely, as certification is a third-party vetting and confirmation that the ITAD company is meeting at least a minimum set of requirements. I’ve always said that certification is the first bar. You shouldn’t even talk to an ITAD vendor unless they’re certified because they haven’t made the investments and the commitment to meet certain best practices, including security, environmental stewardship, health, and safety of their workers, etc. Beyond that certification, then there may be other requirements that the enterprise requires of their ITAD vendors. There are enterprises out there that choose not to require certification. I see those as falling in two buckets: Â One is they have a very strong diligence and vetting program of their own that they’ve created and so they feel a third-party certification duplicates that, so they focus instead on doing their own vetting. The other bucket is people that are not educated on the risks or may not be aware of best practices and we see this in some of the decentralized ITAD programs that enterprises may have adopted where they don’t have rules or allow certain divisions to not follow the same rules for disposal of equipment. In those situations, I think those enterprises are at risk because they don’t have strict guidance and requirements around data security, audit trails and what happens to that equipment.