Every ITAD provider will claim to responsibly manage the IT equipment entrusted to them, but how do you know they are making good on those promises? You can hope that the provider will do the right thing, but, as the cliche goes, hope isn’t a strategy.
A multi-national investment bank recently learned this the hard way, incurring millions in fines for failing to protect personal data during the decommissioning of company servers, with the repercussions still being felt, including multiple civil lawsuits.
While it takes years to build a brand, it only takes a single careless vendor a moment to damage it.
Contents
- What is R2v3?
- Who is Sustainable Electronics Recycling International (SERI)?
- Why should I choose R2-accredited facilities?
- Why is R2v3 important?
- How is R2v3 different from previous iterations of the R2 standard?
- When did R2v3 replace R2:2013?
- SK tes R2 certified facilities
What is R2v3?
The R2v3 standard was released in July 2020 by Sustainable Electronics Recycling International (SERI) and is the second major revision or upgrade of the R2 standard since 2013, when the first revision was released.
R2v3 certification is a voluntary standard that certifies responsible electronics processors. IT Asset Managers partnering with ITAD companies that have R2v3-certified facilities can have increased confidence that their sensitive data is destroyed, that electronics equipment, components and materials will be managed based on a hierarchy of responsible management strategies, prioritizing reuse first.
Furthermore, ITAD companies that have R2v3 certification are in a stronger position to assure customers of the efficacy of their data destruction and waste management practices.
Who is Sustainable Electronics Recycling International (SERI)?
Sustainable Electronics Recycling International (SERI) is a non-profit organization dedicated to promoting responsible recycling of electronic devices. SERI aims to mitigate the environmental and health impacts of improper e-waste disposal by providing standards and certifications for safe, environmentally sound, and socially responsible recycling practices.
The R2 standard is at the core of SERI’s activities, developed in collaboration with a multi-stakeholder Technical Advisory Committee. This committee includes representatives from e-waste recycling companies customers like OEMs and data center operators, regulatory agencies and public interest groups. The R2 standard is accredited by the American National Standards Institute (ANSI). Dave Nicolls represents SK tes on the Technical Advisory Committee alongside representatives from Best Buy, Panasonic, Google and Lenovo.
In March 2024 SERI established a Technical Advisory Committee focused on Environmental, Social and Governance (ESG) considerations. Sofia Peruzzo joins representatives from Samsung, Starbucks and Google to represent SK tes, working together to develop the ESG reporting standard for electronics.
Why should I choose R2-accredited facilities?
The R2 standard ensures that the facility processing your laptops, data center equipment, or other electronic devices, adheres to the highest industry standards. By selecting an R2-certified supplier, you are assuring the responsible management of your electronic equipment.
“R2 Certification is what separates self-made claims by companies from those that have been audited and verified to actually do the right things. That’s a big difference, and it is what the world has come to value in R2-certified facilties.” Corey Dehmey, Executive Director of SERI
R2 is the world’s most widely adopted standard for responsible management of used electronics covering providers of IT asset disposition (ITAD) and recycling services. With over 1000 facilities accredited in over 40 countries around the world, R2 is a powerful tool in your procurement process when selecting your ITAD vendor.
SERI provides a searchable database of accredited facilities worldwide.
Why is R2v3 important?
Correctly handling end-of-life laptops, desktops, tablets, enterprise equipment, data center cloud equipment, smartphones and more involves a carefully managed sequence of decisions and processes that present multiple areas of risk. R2v3 places particular emphasis on mitigating two such risks:
1. Data Protection
Companies may consider security their highest priority while data-bearing drives are in their possession, but many organizations do not take that risk into account once that equipment is sold or transferred to a third party.
The Ponemon Institute’s Third Annual Study: Data Risk in the Third-Party Ecosystem found that among more than 1,000 CIOs and security professionals surveyed, almost 60% of respondents had experienced a data breach caused by a third-party service provider. Strikingly this statistic has remained constant in the 4 years since the last study conducted, with no improvement.
Several studies conducted in the past few years have also found that many second-hand electronics sold on popular online marketplaces had not been properly sanitized of data, including corporate emails, spreadsheets, financial projections, personal identification numbers, and other sensitive and proprietary information.
R2v3-certified facilities reduce risks and brand damage by undergoing rigorous annual audits conducted by an accredited third-party certification body. This annual audit verifies that they are adhering to industry best practices for data security, recycling best practices, and electronics sustainability as established in the R2v3 standard.
2. Environmental risks associated with E-waste
According to the 2024 Global E-waste Monitor report, 62 million tons of e-waste were generated in 2022, of which only 22.3% were recycled. The rest was mostly dumped or burned, sacrificing much of the value from the precious metals and commodities contained in the devices and causing tremendous harm to the environment and to public health and safety.
Choosing R2-certified facilities significantly enhances a company’s corporate social responsibility (CSR) efforts. The R2 standard is designed to support a sustainable circular economy, helping companies achieve their sustainability goals by ensuring electronics are reused and recyclable materials are recovered, even at a higher cost.
For over a decade, the R2 standard has promoted sustainability by refurbishing electronics and encouraging responsible environmental practices. Its focus on outcomes ensures that used electronics are managed responsibly, contributing to environmental protection and bridging the digital divide.
Any business that upgrades its IT assets can advance its ESG objectives by opting for R2-certified vendors. This choice ensures that electronic waste is handled sustainably, reinforcing the company’s commitment to ethical and environmentally friendly practices.
How is R2v3 different from previous iterations of the R2 standard?
1. R2v3 has additional requirements for certain specialty operations
R2v3 Appendices A–F — Facilities and process requirements
R2v3 recognizes the diversity in types of facilities, from collectors to ITAD, to returns and recycling, and introduces requirements that address specific operations that require specialized skills and processes. The core requirements of R2v3 apply to all R2 facilities and new, additional process requirements have been introduced that apply only to specialized operations(Appendices A–F).. While recyclers will certify to Appendix E for materials recovery, for example, ITAD companies will certify to Appendix C for test and repair and to Appendix B for data sanitization.
Figure 1: Example Facility Scope shown on SERI website.
To support this the scope of R2-related activities performed by a facility are audited and included on the R2 certificate. This additional transparency allows customers to clearly see the specialist services performed at a facility, and provide customers with more information about the specific expertise and capabilities of each R2 certified facility.
2. R2v3 requires all R2 facilities to have a detailed Data Sanitization Plan
R2v3 Appendix B — Data sanitization process requirement
In an evolution from previous versions, R2v3 has developed enhanced requirements for data security and data sanitization. R2v3 includes a requirement for all facilities to provide evidence of a Data Sanitization Plan and enhanced requirements for physical security within the facility and covering the process around managing data-containing equipment, as well as defining approved data sanitizing methods. The most rigorous data sanitization requirements appear in Appendix B for those facilities providing specialist services. These data erasure guidelines include the following requirements:
- Enhanced security controls and monitoring systems including locked and alarmed access points, secure work and storage areas, closed circuit camera systems covering the process, active monitoring or cameras and access points, and inventory tracking.
- Facilities must demonstrate traceability of assets from receipt to sanitization and when data is erased using data sanitization software, electronic records shall be maintained for each unique serial number
- As well as clearing data contained within drives, Equipment must be cleared of any locks, logins, or passwords to cloud services and all physical markings or stickers linking a device to its previous user must be removed and destroyed (e.g. company asset tags).
- On-site data destruction, taking place outside the facility (for example on-site shredding at a customer’s office) must follow the same standards.
- Along a number of quality control requirements, at least 5% of sanitized data storage media must undergo secondary testing as quality assurance and be verified by the Data Protection Representative
These enhanced data security requirements mandate that a complete chain of custody is maintained throughout the process, giving customers confidence that using an R2v3 certified facility they can rest assured that their equipment and data are being managed responsibly, with no gaps or security risks.
3. R2v3 specifies standards around Test and Repair
R2v3 Appendix C – Test and Repair
Process requirement Appendix C introduces requirements for facilities performing test and repair in-house and requires R2 facilities to document an R2 Reuse Plan which includes employee competency and training, safety considerations, functional testing plans, quality assurance and returns policies. Any data-bearing equipment must have been erased in accordance with the requirement in Appendix B – Data Sanitization.
Any R2 facilities providing services within the Scope of Test and Repair must also be accredited for quality management by a recognised Certification Body, such as ISO9001. R2v3 also introduces a time limit of 1 year to process equipment and components.
Customers choosing R2 facilities to process their corporate IT and networking equipment will have confidence that reuse options are prioritised for their technology, testing is being completed with technical competence and good quality control and aged equipment doesn’t gather dust in a warehouse.
4. R2v3 brings in requirements that address specialty equipment
R2v3 Appendix D — Specialty electronics reuse
R2v3 includes a new process (Appendix D) for the processing of specialty electronics, such as commercial telecom equipment, medical equipment, or laboratory equipment – a segment of the ITAD industry that often requires sophisticated test equipment and simulations to determine functionality. Due to the cost and scarcity of such test equipment, most vendors find it challenging to test specialty electronics for functionality under typical conditions.
To increase the legitimate reuse of specialty equipment, R2v3 establishes an alternative path of control from decommissioning to reuse. Where the R2 facility does not have the technical capability to test this equipment competent technicians will:
- verify functionality with the prior user,
- check for physical damage or missing parts,
- verify part and serial numbers,
- ensure that data has been erased, or is not present, and
- resell, harvest parts, or recycle the equipment in an appropriate way.
5. R2v3 must be in place for each operating facility
Code of Practices (COP)
Another significant change from the previous version of R2 is that R2v3 will not allow for multiple sites to be connected under one certification. Every site has to be independently certified by a 3rd party, which ensures controls and standards are in place for every facility. This means that global customers working with ITAD providers offering international capabilities can check if specific facilities have R2 accreditation.
R2v3 works on a principle of ‘Tracking Throughout’. Flows of waste materials have to be audited annually for the final disposition of material for every downstream recycling partner, unless the downstream is also R2v3 certified, giving customers assurance of a responsible downstream supply chain.
When did R2v3 replace R2:2013?
Following its release in 2020, SERI implemented a phased adoption of the new standard, largely driven by the expiration dates on R2:2013 certifications. From January 1st, 2021 all new certifications were audited to R2v3, and the following year all recertifications for R2 were undertaken in accordance with the new standard. R2v3 requires that all non-conformities are resolved and closed prior to issuance of the R2v3 certificate.
SK tes - R2, R2V3 certified IT recycling facilities
SK tes is recognized by Gartner as the largest global ITAD vendor. This scale also means we have almost double the number of R2-certified facilities than any other provider, with over 30 R2-certified facilities.
We’ll continue to ensure that we adopt the latest and most robust standards on behalf of our customers, evidenced by our facility in Seattle being among the first in the world to earn the new R2v3 certification. For our customers, this means they can rest assured that SK tes continues to be one of the most competent, qualified, and responsible providers available.
Blancco reveals 42% of used drives sold on eBay are holding sensitive data – Blancco
The Perilous Oversights: Risks Of Unwiped Data On Sold Devices (forbes.com)
Morgan Stanley fined millions for selling off devices full of customer PII – Sophos News