Organisations need to consider their print infrastructure as part of GDPR compliance, says Martin De Martini, Co-founder and CIO at Y Soft
With GDPR fast approaching, the majority of conversations relating to the regulation is around the event of a data breach, and the fines that can be imposed because of one. However, it is important to look at where exactly data breaches can come from.
In the build-up to GDPR, businesses will be ensuring that their data protection policies fall in line with the regulation, securing explicit consent from individuals to use and store their information. One of the biggest motivators for businesses to comply is the substantial potential fine imposed by the EU, which can attract a fine of up to 4 per cent of global annual turnover or €20million – whichever is higher.
Despite the risk of these hefty fines, a recent survey conducted by the London Chamber of Commerce and Industry, found that a third of London’s businesses were unaware of GDPR, with one in three believing it is not relevant for them.
As well as considering data breaches, organisations also need to reflect on the personal identifiable information of individuals present in their enterprise systems, such as a company’s print/copy/scan infrastructure, and how to comply with individuals’ rights concerning that data.
It is now common that many services provided by multi-functional devices, including network printing, scanning and copying – are organised and managed by a single, intelligent platform that often provides proprietary physical secure access control. Such a system is further interconnected with other IT systems like mail services, file systems, active directory services and many others. Each of these systems usually contains personal data and therefore poses a risk if not set up and managed correctly in line with the requirements of the new GDPR
Looking at the typical enterprise workflow solutions management setup, which includes network printing, scanning, copying and managing physical access to MFDs, there are a number of obligations related to the providing organisation under GDPR. This includes:
To have all personal data that is processed by any of the services identified
Personal data, according to GDPR, is any information relating to an identified or identifiable natural person (data subject); such information obviously is not restricted to traditional identifiers such as name, surname, address or an email, but contains all the possible electronic identifiers such as location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
Processing of personal data by enterprise workflow solutions must be secure
Appropriate technical and organisational measures have to be taken by security personnel at the organisations to prevent un-authorised access to and disclosure of personal data. For enterprise work?ow solutions, this can be achieved by encrypting data lines wherever possible, control of physical access to the devices and also by implementing appropriate security policies within your organisation. It should be noted that by 2016, 62 per cent of security incidents were caused by human error, the remaining one third of the risk can be mitigated by using a secure solution.
Incidents have to be reported to the data protection authority
Contrary to the former common practice of covering personal data leaks in an effort to protect goodwill on the market, every security incident resulting in a personal data leak must be reported under GDPR within 72 hours of discovery, unless the organisation is able to prove that the breach is unlikely to result in a risk to the rights and freedoms of data subjects because the leaked data was sufficiently encrypted.
Privacy by design
Large organisations will inevitably have a vast and complex set up in terms of print security. For organisations that have a varied assortment of MFDs, it is in their interest to seek counsel from experienced vendors, who fully understand the risks of an unsecure network connected to MFDs.
Privacy by design and the ability to perform their GDPR-related duties should therefore be a consideration for administrators and data protection officers when selecting the right enterprise workflow solution, or when evaluating current solutions ahead of GDPR coming into force.
The regulation is a reminder that, in order to remain compliant, businesses must re-examine their current security situation on all fronts. From there, organisations will have to act swiftly to put the suitable security measures in place in order to remain compliant. Companies must face the fact that print security is an aspect that must be considered if they want to avoid stringent fines.