Just like post-surgery checklists that ensure gauze and instruments aren’t mistakenly left inside the body and then trigger a bigger problem, written data destruction operational processes and procedures promote compliance, reduce errors and provide a high level of vendor-supplier trust. In addition, they comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other privacy laws as well as records and information management (RIM) policies. In a nutshell, it’s best practice!
What are “data destruction processes” anyway?
Fortune 500 companies often require process documentation from their vendors to understand employee background screening, EHS (environmental, health and safety) plans, and, for high value equipment or data-bearing products, procedures for audit and document control (including Chain of Custody, Asset Transfer Forms, Certificates of Data Destruction, Erasure and/or Recycling.
Clients and partners may also want to know device quarantine procedures, step-by-step shred operations (including inspecting the trucks when a job is complete), serial number audit and verification and information security.
And it can be esoteric too. Lately, we’ve seen requests for policies that describe the type of company we are. These asks include our stand on quality, environmental sustainability, social responsibility, human rights, diversity, anti-bribery and corruption.
What is the purpose of a written policy?
- Compliance. Our partners and their customers want to be assured that their data destruction (or logistics, packing and shipping) is going to pass an audit or other high jump test. Simply put, they want to ensure that, by employing us, they’ve followed legal and industry standards to ensure that their data, business and customers are not at risk. We know that our standards meet and possibly exceed the request. And, if we don’t, let’s improve.
- Assured level of professionalism. Why trust your data to someone questionable? A process audit can take that challenge off the table from the get-go. If you work with a NAID AAA certified data destruction partner like Guardian Data Destruction, they’ll have a vetted set of policies in place (and that are followed), so that you’ll feel comfortable with your own end-of-life, end-of-lease, equipment migration projects.
- Consistency. Enterprise companies want a vetted, known process for all their locations whether it’s in New Jersey or California — every time. No matter the location or appointment, they want to be assured that the mobile shred truck that is coming to shred their hard drives, SSDs, tablets, etc. is set up the same way, following the same rules and providing the same documentation.
- Customization. End-clients in highly regulated or high profile markets have very specific, very particular policies that mirror the procedures that their IT, legal and compliance teams have developed based on their own experiences. For Guardian, modifying a policy to improve data security and comfort for a particular client is never a problem and tracking those policies year after year is only good business.
- Alignment. When Guardian is asked about our guidelines on quality, charitable giving, health and safety and other positions that reflect our company values and mission, we are happy to supply and comply.
Who asks for company processes and policies?
- End-clients audit their resellers to ensure that all subcontractors are in compliance. In some cases, the approved client vendor has to have approved subs.
- Resellers want to make sure their stable of contractors is at required level so that supporting documentation can be readily supplied during the quoting and SOW process.
- Experienced outside auditors are also commonly used. Their sole purpose is to ensure that all service providers are on the up and up. This can be in the form of an annual audit that includes updates or based on SOWs or MSAs (Master Service Agreements) as they’re rolled out.
Processes and policies protect everyone
Any company contracting for data destruction or live data relocation services (whether it’s servers or laptops) wants to be assured that their service providers are looking out for them and their data is safe. The written processes are an essential part of the vetting process. Because the policies are protection. For everyone. We share what we’re going to do and how we do it.
No surprises. For anyone.
That means, it’s not enough to have a policy that is pulled out and dusted off if it’s asked for. At Guardian, we follow our policies. We enforce them. We review them annually or after an incident. We look to improve and update them regularly.
For VARs, ITADs, end-clients and any service provider we work with, we invite you to ask us for our policies for the next job. Not only are we delighted to share them, we’re happy to listen to any suggestions you may have. 100% compliance and 100% protection mean 100% cooperation.