What happens if my customer refuses to fill out the DIAL?

Refers to Section 3 Module 1. Criterion 3.1.1

If this was identified at the sampling part of the audit process it would be viewed as a non-conformance and the non-conformance process would be followed.

I'm a DIAL 2 site and I have a new customer which is DIAL 3. What do I do?

Refers to Section 3 Module 1. Criterion 3.1.1

You should confirm with the customer that they are indeed a DIAL 3 and have not merely completed the form without genuine consideration to the impact.

If they are indeed a DIAL 3 then you should first share them the list of the DIAL 3 criteria from your full audit which you failed to meet along with remediation plan including timelines. The customer should then respond either permitting the engagement based on your remediation plan or stating that they require the remediation is to be concluded before work is transacted.

I'm acting as a sub processor for another IT company do I have to get a DIAL rating for them?

Refers to Section 3 Module 1. Criterion 3.1.1

An ADISA certified ITAD company will be expected to obtain the data controller’s DIAL rating for all in-scope ITAD work.

Where they are acting as a sub-processor, the data processor will be expected to provide this information to the sub-processor.

If we are audited and found to have a DIAL 2 rating and most of our customers are level 3, how quickly could we get to level 3?

Refers to Section 3 Module 1. Criterion 3.1.1

An applicant that wishes to improve on the outcome of their initial audit has two options:

  1. The non-conformance process allows for an applicant to commit to an action plan to improve on their provisional audit finding within that initial audit process, or
  2. An applicant may accept the outcome of their initial audit, but then subsequently request an ad hoc audit sooner than the normal 3-year frequency. Any ad hoc audit will be chargeable based on time and expenses (which would be proportional to the size and complexity of any such audit).

The timescale for both options would be driven by the time taken for the applicant to make the necessary improvements and auditor availability.


How long do I get to roll out my GDPR complaint contract to my current customer base?

Refers to Section 2 Module 1. Criterion 2.1.2

ADISA will only start auditing Standard 8.0 once we have received recognition by UKAS, which is expected to be 4-6 months. This delay will create opportunity for applicants to embed their Standard 8.0 compliant contracts across their customer base.

Any assets found during audit that have been, or are being, processed without a Standard 8.0 compliant contract will trigger the ADISA audit non-conformance process. The auditor will assess the severity of any non-conformance (minor or major) and stipulate appropriate actions to resolve the non-conformance.

Sub Processors and Third Parties

If my sub processor is ADISA certified do I still need to carry out my own audit of them?

Refers to Section 2 Module 9. Criterion 2.9.3

No - a currently ADISA certified company can be used by an applicant without a further audit.

I'm acting as a sub processor for another IT company do I have to get a DIAL rating for the IT Company or their customers?

Refers to Section 3 Module 1. Criterion 3.1.1

You will be expected to obtain the data controller’s DIAL rating. If the IT Company is making the controller decision, i.e. how to process the data, they would be the data controller and it should be their DIAL. (Their customers might as a result of this, be viewed as not complying with GDPR). If they are reselling your ITAD services to their customers and they have contracts etc in place with their customers for this work then you would be a sub-processor and the IT Company is required to provide you with a DIAL rating for each of their customers.


If I was to send my damaged drives to another company to repair and resell for me and they still have data on; is the repair company a sub processor for me?

Refers to Section 2 Module 9.

Yes - any other company involved in the end point of sanitisation/destruction process is a sub processor for you.

Client engagement

What can I use to form the contract with my customer ? Does it have to be called a contract ?

Refers to Section 2 Module 1. Criterion 2.1.2

The agreement made with your customer can be a full blown contract, a Proposal document that lays out the service offered with a link to your T & C's that contain all the UK GDPR complaint elements required , a Data processing Agreement , a Service Level Agreement or any other document as long as it contains all the required elements of 2.1.2.

My customer refused to sign a contract or any documents which I could claim as forming the contract - what do I do?

Refers to Section 2 Module 1. Criterion 2.1.2

If this was found during sampling this would be viewed as a non-conformance and the non-conformance process followed. During this assessment we would expect you to be able to provide evidence of asking the customer for a contract, of explaining the important of putting a contract in place and of you repeating your efforts to get a contract in place. In certain situations it might be appropriate for you to escalate your request to someone within your customers who is of sufficient authority such that the refusal of a contract is seen as a company wide decision.

Chain of custody

We carry out our own logistics- do I need the goods signed in by a third person?

Refers to Section 3 Module 2. Criterion 3.2.43

It is an essential criterion that the collection paperwork shall include a signature, printed name and date evidencing the transfer of custody from the company releaseing the assets to the ITAD. Where a logistics representative (third party carrier) is used, they must check consignment and sign the paperwork on point collection and an ITAD representative must check consignement and sign at point of receipt at the facility.

It would be good practice for a different individual other than the driver to check all consigments and sign into the facilty at point of receipt.


Data Capability

My degausser isn't on the NSA approved list - What should I do?

Refers to Section 3 Module 4. Criterion 3.4.9

If you cannot find your make and model on the NSA approved list you would need to get your customer to agree to its use which would be viewed as “a customer specification”. Agreement should include sharing the specific make and model of the degausser being used, generic approval of "non-NSA degausser" would not be pernitted,

Logistics and Processing facility

What do you mean by generic livery on our vans?

Refers to Section 3 Module 2. Criterion 3.2.21

The requirement is for customers to have the option to have collections made using vehicles with generic livery with the guidance being that it should be non-task specific. The tasks which are covered by the ADISA Asset Recovery Standard 8.0 including but not limited to:

IT Disposal, ITAD, Data Processing, Data Destruction, Sanitisation, WEEE and Asset Reuse.

Any livery containing these words would not be considered to be generic.

If couriers are shipping customer devices to us how does that effect our certifcation?

Refers to Section 3. Module Entire Module

If customers are shipping devices into your facility and they are organising and managing the logistics, then this would be acceptable as long as you are clear in your engagement that you are only taking custody on your facility door.

If you are organising couriers on behalf of customers, then you should ensure the couriers meet the requirements as laid out in Section 3 Module 2.

Should the couriers not be able to meet these requirements then this would be viewed as a non-conformance. The investigation would take into consideration aspects such as.
- Frequency of shipments.
- Reason for couriers (Home workers etc)
- Customer clear and unambiguous approval for the use of couriers.
- Customer being informed that the service does not meet the requirements laid out within 8.0.
- All parties agreeing on where transfer of custody takes place.

Like all non-conformances the frequency is critical, if courier usage which does not meet section 3 module 2 is a high proportion of the logistics transactions, it is unlikely to be acceptable for ADISA certification.

ROPA - Record of processing activity

Where can I find the ICO templates to help me complete my ROPA

Refers to Section 2 Module 3. Criterion 2.3.1

The requirement is for all processors to have in place a record of processing activity that contains the same information as the ICO templates that can be accessed via the following links.

ICO Templates


Inventory control

We have an unexpected asset in a collection ? Do we have to quarantine everything ?

Refers to Section 3 Module 3. Criterion 3.3.8

A good example of this is the ITAD receiving a kit list stating that they have 100 laptops to collect but when they are booked in there is actually 101. The customer has not provided the serial number so the ITAD is unable to identify which is the extra laptop.

All assets would need to be quarantined as per 3.3.8 until the customer has agreed a resolution. This is because the ITAD is unable to identify which of the assets is is the unexpected asset


Dependant Systems

What do you mean by dependant systems and what do I need to list on my form?

Requirement of the additional certification requirements 7.2 of ISO17065 ( Out of the audit process )

You are required to list any systems or interfaces used in the provision of data processing services such as your sanitisation software partner , your CCTV systems, your storage provider, CRM system etc.

You do not need to list any systems used once the data processing has been completed. For example your sales systems etc