PODCAST TRANSCRIPT:

Podcast 21 – Updating Your Data Sanitization Plan and Process

August 2023

At SERI, we’ve been producing this podcast series for almost two years, and in that time, the most popular episode is the one where we described how to create your Data Sanitization Plan.  It’s been a while, there have been a lot of changes in technology, and we’ve received quite a few questions on some specifics of the data sanitization plan from various facilities, so we thought it was time to discuss how to update your data sanitization plan and process on this episode of Ask the R2 Guru.  I’m Roger Greive from SERI, Champions of Electronics Sustainability.

Core requirement seven of the R2 standard is for data security.  As all of you listening to this podcast know, data security is a chief concern of most customers of R2 facilities, and it should be.  The risk of a breach of personal data, no matter how small, always has serious consequences and it’s the responsibility of an R2 certified facility to protect that data on the devices that are being received and processed.

When the latest version of the R2 standard was being written, the R2 technical advisory committee realized that data security was one of the most important elements of the latest version of the standard, which is why the requirements were enhanced from the R2:2013 version, and why it is addressed in two different places in R2v3 – Core requirement 7 for all R2 facilities and Appendix B for more advanced data security and data sanitization.  A key portion of both Core 7 and Appendix B is the Data Sanitization Plan, which helps facilities to identify data sanitization methods for different types of devices.

Core 7 is where you find the requirement for a Data Sanitization Plan, however, those of you who are certified to Appendix B will have an enhanced Data Sanitization Plan.  The Data Sanitization Plan is the central document for one of the most important processes conducted by any R2 facility.  And the very first requirement of Core 7 is to document and maintain a data sanitization plan.  This means it should be in writing.  The creation of your first data sanitization plan, and then having it audited, was part of the transition to R2v3.  But now that the transition is completed, most of you are approaching your first or second surveillance audit.  You’ll need to show that you have maintained the sanitization plan since your last audit.  So, what does that mean?  Well, your updated Data sanitization plan should reflect any changes that have taken place in the last year, either in materials received or in the processes you use to manage them.  Perhaps both.

The specific requirements for your data sanitization plan are listed in Core 7 requirement (a)(1).  We’ve discussed these in a previous podcast, so this time let’s talk about what you need to examine on an ongoing basis as you maintain your plan.  One of the first requirements of your data sanitization plan is that you identify the types of data storage devices that you accept as well as the types of data to be sanitized.

With this in mind, what are some of the things that might trigger your facility to start receiving new types of data devices?  Well, the Internet of Things, or IoT for short, is the outpouring of new electronic devices that have the capability to connect to the internet through Wi-Fi.  Things like home security devices, ring and wrist fitness trackers, home voice devices, and so on.  These devices change over time, some may be coming into your facilities already, and others may be coming in over the next few years.  As you begin the maintenance of your plan, how do you account for devices that might contain data or connect to data?

The most common way of determining whether new devices contain data is to look it up online.  Some of these devices might be more obscure than others.  For instance, some home automation devices, small monitoring devices, wi-fi routers or extenders, fitness devices, or wearables.  The technological developments that have enabled solid-state drives or SSDs, which are really chips, to be placed in many more devices requires a little bit more sleuthing on your part when you receive assorted new and random devices from your customers.  This means the devices with data or the ability to connect to data may be very small because of these tiny chips that act essentially like an SSD.

Once you’ve identified these devices as containing data, the next step is to see if any of your existing sanitization processes will work on these devices.  If so, great–just add that device to the Data Sanitization Plan and processes and ensure that the process for performing sanitization for that particular type of device is included in training for your data sanitization staff.  If it is a totally new device, or your sanitization procedures will not work on this new data device, then it’s up to you to develop a new process to be added to your list of data sanitization techniques.  If you have purchased sanitization software for use with other devices, a good place to start this process is to call that company’s technical department to see how they are addressing this new device or new technology.  It’s possible that they will have already developed something or might even have a new product to help with the sanitization process.  If not, you will need to do online checking, using your consultant if you have one, or consultation with other data security experts for their advice on how to sanitize each type of new device.  But when no software exists for the automation of data sanitization of a particular device, consider using R2v3 Formal Interpretation #1-Data Sanitization Software. This Formal Interpretation describes how you might incorporate the manual workflow of the manufacturer’s factory reset into a software solution, like an ERP, into your data sanitization processes.  Remember that this new process or any new software purchases should also be noted as a sanitization method in your Data Sanitization Plan.

It’s difficult to say for certain, but it’s very likely that you will be receiving new device types almost constantly from now on. In addition to the proliferation of mobile devices, laptops, tablets, and the other more traditional electronics, the number of devices being added to the Internet of Things will explode over the next few years.  Recent predictions show that the total number of devices that access the Internet for their operation, everything from a light switch to a fleet of cars, will exceed the total number of electronic devices we have now, well before the year 2030 – growing from 15 billion Internet of Things devices to more than 30 billion by the year 2030.  And that figure does not include mobile devices in that total. And because almost all of these devices fall under the definition of electronics covered by the R2 standard, this means that R2 facilities around the world will have the responsibility for identifying and responsibly managing devices that contain data as well as these data-connected devices, which all need to be sanitized.

Another strategy to consider when managing these new devices is to send them to a qualified downstream vendor for processing.  Even if you are certified to Appendix B for Logical Sanitization, you can still send the devices that you cannot manage or choose not to manage to a downstream vendor, provided that they have the capabilities to sanitize those devices.  And conversely of course, if your facility develops the capabilities to responsibly and reliably sanitize these new devices, you can become a downstream vendor for those other facilities that might not have your new capabilities.

It’s important to review and update the documents relating to the various R2 requirements, and it’s especially important to pay careful attention to the major plans within the standard such as the FM Management Plan, R2 Reuse Plan if applicable, Legal Compliance Plan, and this Data Sanitization Plan.  Taken together, these plans reflect the connection between the R2 requirements and the documentation of what you actually do.  With technology changing so rapidly, your data sanitization plan will probably be constantly evolving.  And in a world where technology is always changing, your R2 certification helps your facility plan for proper methods of data sanitization, as well as plans for how to keep up with technology that always has something new.

With the enhanced requirements of data security and sanitization, your customers can be confident that R2v3 was built for data security.  R2 Certification ensures that data security is paramount to your operations and your relations with your customers, and R2v3 gives those customers confidence that their data will be secure.  At SERI, we’re here to provide guidance to help you navigate these changes as you continue being the best and most professional practitioners of electronics sustainability in the world.

That’s it for this episode of Ask the R2 Guru.  Thanks for listening, and thanks as always to the SERI team for their assistance in producing this podcast.  You can find a complete transcript of this Podcast in the R2 Knowledge Base on the SERI website. In that transcript, you’ll find links to other resources, such as the Formal Interpretation we discussed.  It’s all at SustainableElectronics.org.