PODCAST  TRANSCRIPT:

The first step of Core Requirement 7 is to create a Data Sanitization Plan. But how do you know what should go into that plan, so that it answers all the requirements and provides clear information to your auditor? That’s the topic of this episode of Ask The R2 Guru. I’m Roger Greive from SERI, Champions of Electronics Sustainability.

Before we go into the specifics of the Data Sanitization Plan, let’s take a moment to review the requirements of the R2v3 Standard on data sanitization and security.  There are two parts:  Core Requirement 7-Data Security and Appendix B -Data Sanitization.  Core Requirement 7 is required for every R2v3 facility and covers the creation of a comprehensive data sanitization program focused on physical destruction of data devices.

I’m sure that once some of you have looked at the requirements for Core 7, you notice that the listing of everything that needs to go into the Data Sanitization Plan takes up almost an entire page of the R2v3 standard. The required items and topics are labeled A through M and with that many things it’s bound to be a little bit intimidating.

To begin, you might want to look at those 18 sub-requirements as a table of contents for your eventual written plan. If you connect each of those requirements A through M with specific processes, materials or actions in your facility, you’ll be well on your way to finishing this document.

But to help you, SERI has developed a tool that will walk you through the process. It’s called the Data Sanitization Plan Guidance and it’s found on the SERI website in the R2v3 knowledge base. Go to the box marked R2 Training – Core Requirements and scroll down to Core 7 – Data Security. Click on that heading and right under the two training videos, you’ll see the link to a guidance tool that will help you create your Data Sanitization Plan.

This document prompts you to answer questions from each subsection of the requirement. The left-hand column has the questions you’ll need to answer and the right-hand column provides some examples that will help you as you fill out each section.

Those examples in the right-hand column should be looked at as starting point. They should prompt you to go through your facility and your operations and then replace the examples with your actual information.

There are five main sections that will be in your Data Sanitization Plan and the Guidance Tool is divided into these sections to make it easy to find everything. The sections are:

1. Identify the types of data storage devices and the related data managed by your facility
2. Define all data security and sanitization requirements
3. Establish the data sanitization processes and procedures
4. Establish security controls
5. Develop processes for training on and validating the security and sanitization controls

In addition, there is one more section that covers additional material for Appendix B, which we will discuss later.

There’s no requirement for how long this plan should be. After all, this is not a freshman English course requiring a 12 page paper. It’s important, though to answer the questions clearly and thoroughly so your auditor will not be confused by the information you’re presenting or will find the need to dig deeper for more information. And everything doesn’t need to be in nice, neat paragraphs. For instance, you could have a heading on types of data devices and then a list of the devices you process, and the types of data on each. You can also answer some of the questions by referencing other documents you have in your management system such as work instructions, procedures or forms.

So let’s go through a couple of the questions in this guidance tool for some examples on how to do this.

At the top of page three of the Guidance tool, requirement(a)(1)(G) asks for information about legal requirements relating to data security, specifically about legal, supplier or customer requirements and whether any of those are addressed in your Legal Compliance Plan. In addition to the examples, your answer to this requirement might reference a section of your  Legal Compliance Plan, or sample contracts with your customers, or other legal requirements that you need to follow to fully execute your operations.

Requirement (a)(1)(L) needs answers to three questions, all about the verification of your sanitization process. You probably have a work instruction covering the verification process already, so your answers would probably include references to the various sections of that work instruction.

And this points out why the Data Sanitization Plan is so important and so detailed. If you discover that you don’t have a validation process work instruction as you are answering requirement (a)(1)(L), then you’ve uncovered a gap in your operations and training, with plenty of time to address that gap well in advance of an audit. The completion of this Plan is also the completion of a thorough checklist of your entire data sanitization and data security process.

There’s one more bit of housekeeping related to this Guidance tool.  Most of the required items for your Data Sanitization Plan are contained in Core Requirement 7, but as we mentioned, Appendix B goes beyond the Core 7 requirements to include logical data Sanitization, enhanced security and device tracking. So there are additional topics to be included in your Data Sanitization Plan only if you are being audited to Appendix B. These questions and examples are in the same format as the rest of the Guidance tool and are found on page 6.

A final note…at SERI, we know that the creation of this Plan is a major task for your first R2v3 audit, and it’s why we made this Guidance tool to help you. But for subsequent years, it’s a lot easier. You’ll simply need to verify your operations and materials against what is in your plan and make only minor adjustments if needed.

As always, I hope you’ve enjoyed this episode of Ask The R2 Guru and found it helpful.  Thanks to Sean DeVries, Sarah Kim and Jeff Seibert for their assistance in producing this podcast series.  If you have any questions or comments or want to suggest a topic for a future podcast please use the Contact Us form on the SERI website. You’ll find us at Sustainable electronics.org.