Security Shredding and Storage - a shredding industry publication

Export Regulations Secure Destruction Outlook: Stability & Opportunity Amid Challenges

By Bob Johnson
Having the benefit of watching the secure destruction industry evolve over four decades, I am more inclined to look at its status in terms of multi-year phases; the 1980s when both customer awareness (demand) was low and competition was sparse.

The 1990s saw the rise of mobile destruction, the 2000s when regulation and enforcement increased awareness and competition, thus increasing focus on electronic media destruction and the first rounds of industry consolidation, and, finally, the last ten years which have been marked by further consolidation, the importance of web-based marketing, a continued focus on electronic media, and a general market stability due to industry contraction.

Additionally, my involvement with NAID over the past 24 years has given me an international perspective. While the “phases” described above apply for the most part to the North American secure destruction sector, their timing and flow are quite different around the world; other regions tending to be in a phase previously experienced by the U.S., or in some cases, skipping some completely. As an example of the latter, we see Asian markets where the newly blossoming economies seems to have skipped the hard copy (paper) phase of secure destruction, with the focus of service providers going directly to electronic media destruction. Additionally, recognition of NAID AAA Certification by the Australian SCEC may dramatically limit the ability of unqualified operators to function at all. The point is, the opportunities and challenges facing the secure information destruction industry differ markedly by region, and why most Security Shredding News readers are likely interested in the North American market, developments around the world, notably with the new General Data Protection Regulation in Europe, will further support compliance-related trends already affecting demand, service provider scrutiny, and marketplace stability in the U.S. and Canada.

Of course, compliance-related issues aren’t the only international factor affecting the secure destruction services market. A significant portion of service providers receive a varying percentage of their revenue from the sale of their destroyed byproducts, and the commodity price for such byproducts depends largely on the international market.

What Does It Mean?

Having set the proverbial table with these (somewhat obvious) observations, it seems that secure data destruction operators in North America that have incorporated a “regulatory compliance, strong web-based marketing” model will continue to do well for the immediate future. I specifically use the word “continue” because I said the same thing last year… and for all intents, it generally proved correct. Service providers that have adopted this model 1) secured an increased demand from the growing number of businesses that responded to rising data protection liabilities, 2) capitalized on the increasing customer dependence on search engines to locate services, and 3) freed themselves from reliance on commodity pricing by focusing on service revenue.

These operators find themselves well positioned to get the most out of continued market contraction in North America. If they decide to sell, they will garner maximum value. If they stay put, they will benefit from the continued price stability resulting from the ongoing contraction.

Despite this trend, it doesn’t mean service providers that have not adopted the compliance-intensive, web-based approach aren’t able to compete. I am sure every reader can think of some competitor that ignores both and also knows of scores, even hundreds, of clients that are oblivious to anything but price. The point here is that it will become harder and harder for those companies to compete effectively, especially when it comes to competing for clients willing to pay a fair price. They will be subject to the unreliable volatility of commodity pricing. And it is also likely that their business will be worth little if they ever do want to sell.

The Job is Never Over

I assume at this point some readers are feeling pretty good about their continued prospects. They have a decent compliance profile, they’re NAID AAA Certified, and their salespeople know all the talking points on contracts and insurance; they’re walking the talk. They’re happy with their search engine results and their conversion rate. To them, I say, good job, and it’s time to get back to work.

Electronic media and IT asset disposition are opportunities for profit that no service provider should ignore. I am not talking about occasionally shredding a half dozen hard drives either. The average NAID member has hundreds if not thousands of local clients. There is little excuse for not aggressively pursuing opportunities with each of those clients to help them properly destroy (shred/wipe) all of their electronic media. It is a mistake to wait for them to ask. It needs to be part of every sales call, even perhaps every service event. Client contracts, service orders, and marketing materials should stress the importance of this business need. For service providers, this may mean pursuing new lines of operations (electronics refurbishing) or strong partnerships with organizations that provide a broad scope of electronic media solutions. As clients become educated and their expanding electronic destruction needs evolve, hard copy destruction firms may soon lose them to the competition, simply because of limited knowledge and insufficient service options. To put a finer point on it, even the response “we can only shred your hard drives,” will not suffice in the not too distant future. This is not a problem; it is a business opportunity.

The upcoming European Data Protection Regulation (GDPR) that goes into effect on May 18, 2018, represents another opportunity. To be clear, for European-based service providers, the word ‘opportunity’ doesn’t really do it justice. For them, it is the ultimate game changer. It is a ten on the Richter scale of regulatory changes. Some will make millions on it, others won’t survive. The GDPR will usher in far-reaching, cross-border changes that, though nowhere near as impactful as in Europe itself, will be felt globally. Any organization in North America that has information on a European citizen, which includes every financial institution, every investment firm, many government offices, all multi-national corporations, travel companies, and credit bureaus, among many others, is subject to the requirements of the GDPR. And whether North American service providers realize it or not, because they are receiving such information from these organizations, they are technically subject to the GDPR as well.

As such, it is very likely that an existing account in the U.S., subject to GDPR provisions, will ask you, “Is your firm compliant with the U.S.-E.U. Privacy Shield Framework?” It's just as likely that a competitor aware of such issues will approach your existing customers with that same question. A service provider unaware of the issues will be blindsided. On the other hand, those ready to proactively raise the issue with clients and prospects will be in a position to capitalize.

U.S.-based service providers that are already compliant with HIPAA, GLB, and state breach notification laws (as verified by NAID AAA Certification) are already prepared operationally to meet GDPR requirements and only need to understand how to convey that readiness to their clients. For these professionals, the impact of the GDPR will be more knowledge-based and communications-based. If they prepare and implement correctly, there is a big potential upside. Obviously, those service providers unprepared to address U.S.-E.U. Privacy Shield issues will likely find themselves on the wrong side of client legally-mandated requirements.

More of the Same Coming

Market contraction will likely continue well into 2019. Increasing client scrutiny and consolidation in North America have already proven good for pricing stability and margin growth in North America. Those left standing are generally doing well and there is more to come.

Service providers that continue to invest more heavily in compliance and staff education, web-based lead generation and conversion, and diversify into electronic media solutions are bound to see their fortunes rise. Even new market entrants prepared to embrace these trends would likely do well.

Robert (Bob) Johnson is the CEO and founder of NAID, the non-profit, international trade association for the secure information destruction industry, which he started after more than a decade in the industry as a service provider. As a pioneer creating tangible means for the industry to be more regulated and thus successful, Johnson has testified before the United States Senate and the Canadian House of Commons on the importance of secure information disposal and provided input on data protection regulations around the world. He recently authored the first concise textbook on the topic of information disposition, Information Disposition: A Practical Guide to the Secure and Compliant Disposal of Records, Media and I.T. Assets. Johnson is a prolific writer and speaker on the topic of secure disposal, data protection regulations, policy development, and employee compliance, and occasionally serves as an expert witness in legal disputes related to secure information disposition. This email address is being protected from spambots. You need JavaScript enabled to view it.

Member Login