Data sanitization, test and repair set latest R2 standard apart from previous version

SERI (Sustainable Electronics Recycling International), based in Hastings, Minnesota, launched R2v3, the most recent update to the R2 Standard, earlier this month. R2 Director Sean De Vries says it’s been a lengthy process to update the Sustainable Electronics Reuse & Recycling (R2) Standard, but it was needed because the last update was back in 2013.

“This started in August 2015, and there was a call to general members in the industry, volunteers that wanted to be a part of this TAC (technical advisory committee) to review and update the standard,” De Vries says. “Over that period of time, we’ve had 48 different participants and grouped them into three categories.”

While not all 48 participants served at the same time, stakeholders who served on the TAC  included recyclers, customers of electronics reuse and recycling services, public interest groups, government regulators and auditors. The TAC spent more than 5,100 hours on the development of R2v3, including dozens of conference calls, five multi-day in-person meetings and small working groups for special sessions.

De Vries says an emphasis on reuse, then recycling, is one of the main changes in the updated standard. This was done by emphasizing ways to ensure more secure data erasure can be done, so more items can be reused rather than recycled or destroyed.

Some of those steps include secured areas dedicated to data sanitization with access limited to authorized individuals, maintaining methods for data sanitization for each type of data storage device and a timeline to sanitize data that depends on when a facility receives the items.

This also comes with enhanced controls for test, repair and reuse. SERI says these controls will ensure the quality and effectiveness of the refurbishment process by making sure items are properly tested and the level of functionality is confirmed.

Each facility also will have to write and maintain a data security policy that keeps unauthorized people from accessing or handling equipment containing data, as well as assigning a data protection representative who is responsible for each facility’s data security and legal compliance. Any known or suspected data breaches are to be reported to that person.

“The industry changed, and that’s what the TAC realized during this process,” he says. “End of life meant recycling; with new devices, there’s a much larger reuse market now.”

There’s also a big change when it comes to the standard’s structure.

“[The standard] has been broken into a set of core requirements that are applicable to all facilities and process requirements (such as data sanitization and test and repair), which apply only to those facilities that perform those operations,” De Vries says. “This revised structure better suits the wide industry application of the R2 Standard, allowing for certification by a diverse range of operations.”

Since the discussions to make these updates began in 2015, De Vries says monthly meetings have taken place to find anything within the old standard that could be interpreted incorrectly.

Along the way, SERI accepted feedback from the industry and the public to make sure the TAC was on track. Going to public comment twice, for 45 days each, allowed anyone to comment on the committee’s progress.

“It’s so important to get their feedback, both through the updating process and through the review and drafting process,” he says. During those two periods, De Vries says more than 660 comments were received, giving the TAC plenty to go through.

“Some of the changes were more minor in nature, such as clarifications to ensure that the requirements would be interpreted as intended, while other changes, such as in the sorting and categorization process and making it optional to register the downstream flow with SERI, were intended to better align with how the industry operates and provide alternate implementation options to meet the same intended outcome,” he says.

This isn’t just about making the update, though; De Vries says it’s important for SERI to offer training modules for those businesses working toward R2v3 certification and auditor training for the professionals who will audit businesses to the standard.

“That’s a really important aspect of it. It’s not just giving the standard but also ensuring there’re enough resources, so people understand it and properly implement it and audit to it,” he says.

More than 900 recyclers will have to be audited and recertified to the updated standard and have until 2023 to do so. He says R2v3 will have a more defined scope for those operations that are already R2 certified, helping them to define or highlight specialized areas of operation.

“For facilities that are new to R2, the revised structure will allow them to attain R2 certification more efficiently by focusing only on the process requirements that apply to their operations and also allowing them to upgrade or add new processes over time that fit best with their business needs,” he says.

De Vries says he understands the need to update the standard to meet evolving industry needs, especially as data protection and security are even more critical now.

He says R2v3 should provide confidence to individuals and companies that when they turn their equipment over, it’s safe and being reused or recycled in the best way possible.