Are printers your biggest GDPR blind spot?

Since it was first proposed in 2012, the EU’s GDPR has been in and out of the headlines. But now, with under a year until it becomes a reality, for organisations of any size, the countdown really is on.    

You can’t opt out, ignore it or claim ignorance. As a business it is now your responsibility to be fully knowledgeable about all things GDPR or risk the financial and legal consequences. Of course, this has resulted in the protection of core infrastructures becoming something that is never far from the forefront of everyone’s minds.  

However, as you tick off the boxes on the checklist towards total compliance, some devices inevitably slip through the cracks. Devices that sit in the corner of almost every office in the UK. Devices that we all trust to handle, and often store, important, confidential documents and sensitive data every day…  

Printers. Gone are the days of the clunky, noisy, single function device, taking what felt like years to produce one black and white page. They’ve been replaced by connected multifunction devices (or MFDs) which can print, scan, fax, store and even manage and analyse data immediately, all with the simple click of a button from almost any device both onsite and remotely- making life for both employers and employees much easier.    

However, just as with every other aspect of IT in business, with these developments and advancements, come greater security risks. Just like other IoT devices, our printers are now connected to the internet as well as corporate networks creating a massively expanded threat surface and meaning that they’re open to cyber attackers if not properly protected. Earlier this year, a hacker known as Stackoverflowin hijacked more than 160,000 insecure printers all over the world, proving not only that it can be done but also that printers need to become a part of every organisation’s cyber security strategy.

Yet, in many cases printers are left out of these strategies; forgotten about in both the planning and implementation stages. A Quocirca study found that only 22% of organisations placed a high importance on print security. This isn’t because it’s an area less likely to be breached - as this is despite 63% admitting to having suffered a print-related data breach. They are the everyday device that nobody thinks about but everyone relies upon and, as such, they are vulnerable to becoming the weak link in an organisation’s cybersecurity defence. And with GDPR almost upon us, they are likely to become a blind spot within preparations.    

Think about it… can your business afford to pay 4% of its total turnover for a data breach caused by an unprotected printer?  

If the answer is no then there are some simple steps you can take to avoid the future penalties:   

Be proactive  

GDPR compliancy doesn’t have to be achieved in one big go- in fact, that would be impossible. However, if your business strategy is proactive, and you begin to make a map of what data is kept where now, then you can avoid the stress of last minute preparations.  

In any organisation, there are multiple entry and exit points from which data can flow and your printer is one of these. Whether the data is in the form of e-documents or traditional paper formats, it is important to have a clear knowledge of the risks and an understanding of what data is being held in the printer. Something you can do right now, to save yourself a lot of time and stress later, is conduct a thorough audit of all existing data practices, policies and equipment within your organisation. 

Then encrypt  

Once this audit is complete and you have a clear understanding of what is where, you can use encryption as a means to safeguard against the loss of personal data. It’s one of the key technologies highlighted within GDPR to be used across your PCs and laptops, so don’t forget that data stored on your printers should also be encrypted to limit the impact of a data breach.    

Ensure your staff and technology are GDPR ready 

In the build up to GDPR, raising awareness and educating internally is not something that should be taken lightly. Neither is updating your technology. 

It’s essential your staff understand the ground rules set out by the regulation and that your organisation can be fined a significant amount if they do not comply with them. It’s all about building up internal awareness at this point- everyone will use the office printer at some point but they may not even be aware the data they are printing can be stored- if they’re educated correctly then half the battle is already won.  

To add to this, it may seem obvious but any technology you’re investing in at this point should be GDPR compliant. If you buy a printer now that isn’t ready to meet with the EU demands then you’ll need to replace it before May 2018. 

Never become complacent 

Even if you have completed the initial transition phase, the process doesn’t end there. In the marathon that is GDPR compliance, the 25th May 2018 is the starting point as opposed to the finish line. All the preparation that you undertake before that point is just to give your company the stamina it needs in order to keep up. A constant effort will need to be given by all in order to continually track and make decisions about what to do with personal data. 

Under GDPR, companies will have to employ a Data Protection Officer- who will become a key player in maintaining compliance. For many organisations this role will be fulfilled internally and the individual will become responsible for implementing a data protection strategy and providing the board with comprehensive and transparent guidelines and policies.   

In short, GDPR has had a long build up but it is now a reality and a fast approaching one at that. Data and printing go hand in hand and so it only stands to reason that a regulation which will transform the way organisations think about personal data should also transform the way that they think about print.  

And yet, MFPs are often left at the bottom of the pile, or even forgotten about entirely, when it comes to not only GDPR preparations but also cyber security strategy in general. An urgent and immediate shift in attitude is needed because the consequences for failing to consider the devices that sit in the corner of almost every office in the UK are about to get more damaging than ever before.

Eddie Ginja, Head of Strategic Business and Innovation, KYOCERA Document Solutions  

Image Credit: FabrikaSimf / Shutterstock