Every ITAD provider will claim to responsibly manage the IT equipment entrusted to them, but how do you know they are making good on those promises? You can hope that the provider will do the right thing, but, as the cliche goes, hope isn’t a strategy.
A multi-national investment bank recently learned this the hard way, incurring millions in fines for failing to protect personal data during the decommissioning of company servers, with the repercussions still being felt, including multiple civil lawsuits pending.
While it takes years to build a brand, it only takes a single careless vendor a moment to damage it.
- What is R2v3?
- Why is R2v3 important?
- How is R2v3 different from previous iterations of the R2 standard?
- When will R2v3 replace R2:2013?
What is R2v3?
The R2v3 standard was released in July 2020 by Sustainable Electronics Recycling International (SERI) and is the second major revision or upgrade of the R2 standard since 2013, when the first revision was released.
R2v3 certification is a voluntary sustainability standard that certifies responsible electronics processors. IT Asset Managers partnering with ITAD companies with R2v3-certified infrastructure can have increased confidence that their sensitive data is destroyed, that electronics with residual value will be reused, and that their assets won’t end up in a landfill or in a dumping ground halfway around the world.
Furthermore, ITAD companies that have R2v3 certification are in a stronger position to assure customers of the efficacy of their data destruction and waste management practices.
Why is R2v3 important?
Correctly handling end-of-life laptops, desktops, tablets, enterprise equipment, data center cloud equipment, and smartphones involves a carefully managed sequence of decisions and processes that presents multiple areas of risk. R2v3 places particular emphasis on mitigating two such risks:
Companies may consider security their highest priority while data-containing electronics are in their possession, but many organizations falsely assume their risk ends once that equipment is sold or transferred to a third party.
The Ponemon Institute’s Third Annual Study: Data Risk in the Third-Party Ecosystem found that among more than 1,000 CIOs and security professionals surveyed, almost 60% of respondents had experienced a data breach caused by a third-party service provider.
Several studies conducted in the past few years have also found that many second-hand electronics sold on popular online marketplaces had not been properly sanitized of data, including corporate emails, spreadsheets, financial projections, personal identification numbers, and other sensitive and proprietary information.
R2v3-certified facilities reduce risks and brand damage by undergoing rigorous annual audits conducted by an accredited third-party certification body. This annual audit verifies that they are adhering to industry best practices for data security, sanitization, and electronics sustainability as established in the R2v3 standard.
According to the 2020 Global E-waste Monitor report, 53.6 million tons of e-waste were generated last year, of which only 17.4% were recycled. The rest was mostly dumped or burned, sacrificing much of the value from the precious metals and commodities contained in the devices and causing tremendous harm to the environment and to public health and safety.
Choosing R2-certified facilities can play a big part in a company’s corporate social responsibility (CSR) and environmental, social, and governance (ESG) plans. By design, the R2 standard is built for a sustainable circular economy, so using R2v3-certified facilities helps companies meet their sustainability goals.
Structurally, the R2 standard is intentionally aligned with circular economy and sustainability principles. R2-certified facilities are required to reuse electronics when possible and to recover materials that are recyclable (even when it costs more to recycle than to dispose of the equipment).
With this steadfast approach, the R2 standard has been driving progress toward a sustainable circular economy for more than 10 years, bridging the digital divide with refurbished electronics and protecting the environment through responsible practices.
Since the R2 standard isn’t just a management system and instead focuses on outcomes, R2 certification creates the governance to verify that used electronics are handled responsibly and sustainably. Nearly every business in the world uses electronics (IT assets). When businesses upgrade their IT assets, they can thus further their ESG goals simply by selecting an R2-certified vendor to carry out this process.
How is R2v3 different from previous iterations of the R2 standard?
R2v3 Appendices A–F — Facilities and process requirements
R2v3 introduces a new design that recognizes the diversity in types of facilities, from collectors to ITAD, to returns and recycling. The new structure of the core requirements applies to all R2 facilities and process requirements for specialized operations (Appendices A–F) differentiate between distinct types of R2-certified facilities. While recyclers will certify to Appendix E for materials recovery, for example, ITAD companies will certify to Appendix C for test and repair and to Appendix B for logical sanitization.
R2v3 Appendix B — Data sanitization process requirement
In an evolution from previous versions, R2v3 has internalized the data security and data sanitization requirements. R2v3 no longer relies on other standards; rather, R2v3 includes the most rigorous data sanitization requirements in Appendix B. These data erasure guidelines are specific to the areas below:
- Enhanced security controls and monitoring systems
- Traceability from receipt to sanitization
- Video recordings of physical destruction
- When logically erased, software-generated records are created for each serial number
- Equipment is cleared of any locks, logins, or passwords to cloud services
- Verified sanitization by the Data Protection Representative
R2v3 Appendix D — Specialty electronics reuse
R2v3 includes a new process (Appendix D) for the processing of specialty electronics, such as commercial telecom equipment, medical equipment, or laboratory equipment – a segment of the ITAD industry that often requires sophisticated test equipment and simulations to determine functionality. Due to the cost and scarcity of such test equipment, most vendors find it challenging to test specialty electronics for functionality under typical conditions. To increase the legitimate reuse of specialty equipment, R2v3 establishes an alternative path of control from decommissioning to reuse.
Code of practices (COP)
Another significant change from the previous version of R2 is that R2v3 will not allow for multiple sites to be connected under one certification. Every site has to be independently certified, which ensures controls and standards are in place for every facility. The flows of waste materials will need to be audited annually to final disposition of material for every downstream transfer of waste, unless the downstream is also R2v3 certified.
When will R2v3 replace R2:2013?
Starting January 1st, 2022, all re-certifications will need to be to the R2v3 standard, according to SERI, so the expiration date on R2:2013 certificates for each individual facility will drive the transition timeline. R2v3 requires that all non-conformities be resolved and closed prior to the issuance of the R2v3 certificate.
The best way to ensure a smooth transition to R2v3 is early preparation, and SERI is offering supporting resources to ease this transition.
“Achieving R2v3 certification places a vendor head and shoulders above most competitors and demonstrates to current and potential customers that they are choosing a competent, qualified, and responsible provider that will partner with them to do the job right and protect their interests.” Rick Goss, President and Founder at Green Cognition.
What are we doing at TES?
Standards are about continuous improvement. The R2v3 standard provides the roadmap for the sustainable management of used electronic equipment. Implementation, while challenging, is a learning experience that ensures that our businesses operations are secure, sustainable, and provide specific processes for managing the numerous risks of used electronics.
With 40+ owned and operated facilities in over 20 countries, TES is now recognized by Gartner as the largest global ITAD vendor. This scale of infrastructure also means we have almost double the number of R2-certified facilities than any other provider.
We’ll continue to ensure that we adopt the latest and most robust legislation on behalf of our customers, evidenced recently by our facility in Seattle being among the first in the world to earn the new R2v3 certification. For our customers, this means they can rest assured that we continue to be the most competent, qualified, and responsible provider available.