Corporate E-Waste Compliance — 90-Day Checklist for Kerala Companies

Most Kerala companies are not compliant with E-Waste Rules 2022. Most are also not compliant with DPDP Act 2023 as it applies to IT asset disposal. Most don’t know where to start.

This checklist gives you a structured 90-day path from wherever you are today to full compliance — actionable by your IT manager, compliance officer, or DPO without external consultants.

Before You Start: Assess Your Current State

Answer these questions honestly:

  • Do you have Form-6 e-waste manifests for every IT disposal in the past 3 years?
  • Can you name your current e-waste vendor’s KSPCB authorization number (format: KL/EW/XXX)?
  • Do you have a Certificate of Data Destruction for every laptop, server, or phone retired in the past 3 years?
  • Is your current vendor listed on kspcb.kerala.gov.in as an authorized recycler?
  • Does your IT asset register cross-reference to disposal documentation?

If you answered “no” to two or more of these, you are non-compliant and should start this checklist immediately.

Days 1–15: Inventory and Gap Assessment

Task 1: Complete IT Asset Audit

Pull your fixed asset register or IT asset register and identify:

  • All IT equipment purchased in the last 5 years
  • All items marked “retired” or “written off” in the last 3 years
  • Current status of each written-off item (disposed? still in storage? sold?)

Owner: IT Manager + Finance
Output: Master asset list with disposal status per item

Task 2: Identify Your Disposal History

For each retired item, document:

  • How was it disposed? (trade-in, OLX sale, informal dealer, kabadiwala, EWaste Kochi, others)
  • Do you have a Form-6 manifest for it?
  • Do you have a Certificate of Recycling?
  • Do you have a Certificate of Data Destruction?

Owner: IT Manager + Procurement
Output: Gap report — items with documentation vs. items without

Task 3: Classify Data Sensitivity of Retired Devices

For each device disposed in the past 3 years:

  • Did it contain customer personal data? (DPDP Act exposure: high)
  • Did it contain employee personal data? (DPDP Act exposure: medium)
  • Was it a general-purpose workstation with no personal data? (DPDP Act exposure: low)

Owner: DPO + IT Manager
Output: Data sensitivity matrix

Days 16–30: Vendor and Process Fix

Task 4: Verify Your Current Vendor’s KSPCB Authorization

Go to kspcb.kerala.gov.in → E-Waste Recyclers. Search your current vendor’s name or authorization number (if they’ve provided one). Confirm:

  • They appear in the authorized list
  • Authorization is current (not expired)
  • Authorization covers IT equipment (Schedule I, Category 1)

If they don’t appear: Stop using them immediately. Engage an authorized vendor.

Task 5: Select and Onboard an Authorized Vendor

If you don’t have an authorized vendor, contact EWaste Kochi (KSPCB: KL/EW/628) or verify alternatives on the KSPCB website. For your onboarding call/WhatsApp:

  • Confirm their authorization number
  • Request a sample Form-6 manifest and Certificate of Recycling from a previous client
  • Confirm they provide NIST 800-88 data destruction certificates
  • Agree on process: how pickups are scheduled, what lead time is needed, what paperwork you receive

Task 6: Establish Internal Process

Create a simple SOP (1 page):

  • Who approves IT retirement (IT manager + department head)
  • Which vendor is used (name + authorization number)
  • Who books pickups
  • Who receives and archives documentation
  • Where documents are stored (SharePoint folder, filing cabinet — specific location)

Owner: IT Manager
Output: E-Waste Disposal SOP v1.0

Days 31–60: Remediate Historical Gaps

Task 7: Obtain Retrospective Documentation Where Possible

For devices disposed through authorized recyclers in the past (even without documentation), contact the recycler and request:

  • Retrospective Form-6 manifest if they have records of your pickups
  • Certificate of Recycling for verified prior collections

Some authorized recyclers including EWaste Kochi maintain records and can issue retrospective documentation for verified historical collections.

Task 8: Assess DPDP Act Exposure for Historical Disposals

For devices disposed without Certificate of Data Destruction that contained personal data:

  • Prepare a brief risk memo to your DPO: device types, data categories, disposal method, date
  • DPO assessment: is the risk residual (no known breach) or active (device location unknown)?
  • If significant personal data exposure: DPO to consult legal counsel on proactive disclosure to Data Protection Board

Task 9: Dispose of Backlogged E-Waste

Any devices currently in storage waiting for disposal: schedule a collection with your authorized vendor and obtain all documentation.

Days 61–90: Ongoing Process and Training

Task 10: Update Vendor Master

Remove any unauthorized e-waste dealers from your approved vendor list. Add your authorized vendor with their KSPCB authorization number and expiry date noted.

Task 11: Train IT and Accounts Teams

Brief (30-minute) session covering:

  • Why informal disposal is a compliance violation
  • The specific documentation required (Form-6, CoR, CoD)
  • The process for requesting and recording pickups
  • Where to file documents

Focus on the accounts team: They often initiate “asset write-off” without knowing the disposal compliance requirement that follows.

In your IT asset register (or fixed asset schedule), add fields:

  • Disposal date
  • Disposal vendor + KSPCB auth. number
  • Form-6 manifest reference number
  • CoD reference number (for data-bearing devices)

This linkage makes future KSPCB audits simple: auditor asks about a device → you can show the disposal record in 30 seconds.

Task 13: Set Calendar Reminders

  • KSPCB authorization expiry: 45 days before expiry, verify renewal
  • Annual disposal summary: End of March each year, prepare disposal summary from your records
  • DPO quarterly review: Review new retirements each quarter, confirm documentation complete

90-Day Outcome

At the end of this checklist, your company will have:

  • ✅ Identified all historical compliance gaps
  • ✅ An authorized vendor engaged with verified KSPCB authorization
  • ✅ A documented process for all future IT disposals
  • ✅ Form-6 manifests and Certificates of Recycling for all future disposals
  • ✅ NIST data destruction certificates for data-bearing devices
  • ✅ Asset register linked to disposal documentation
  • ✅ Trained staff who understand the obligation

This represents full compliance with E-Waste Rules 2022 (Rule 13) and DPDP Act 2023 (Section 8(7)) for IT asset disposal.

EWaste Kochi supports your compliance journey: We provide all documentation automatically for every engagement, maintain searchable records for your annual audits, and can help reconstruct historical documentation. WhatsApp to start your compliance onboarding.