With GDPR fast approaching, the majority of conversation relating to the regulation is around the event of a data breach, and the fines that can be imposed because of one. But data breaches are not the only areas of concern regarding GDPR.
Within a few months, organisations must bring their data protection policies in line with the regulation to secure clearer consent for using people's information, with the risks of being found non-compliant regarding an individual’s rights considerable. Non-compliance fines are defined as up to 20 million Euros or 4 per cent of a company’s worldwide revenue, whichever may be greater, regardless of where the company is physically located.
In the globally interconnected business environment, GDPR will have an impact stretching beyond the European Economic Area as its scope is not only territorial but also personal, requiring that the processing of personal data of EU residents must be GDPR compliant no matter where the processing effectively takes place. This is extremely relevant for large multinational organisations, where cross border processing of personal data happens frequently for various reasons, and this makes GDPR relevant for companies outside of the EU as well.
Despite the risk of hefty fines, a recent survey conducted by the London Chamber of Commerce and Industry, found that a quarter of London’s businesses were unaware of GDPR, with one in three believing it is not relevant for them. Furthermore, the UK government recently warned that fewer than half of all businesses and charities are aware of the laws.
But, as well as considering data breaches, organisations also need to reflect on the personal identifiable information of individuals present in their enterprise systems, such as a company’s print/copy/scan infrastructure, and how to comply with individuals’ rights concerning that data.
It is now common that many services provided by multifunction devices (MFDs) – including network printing, scanning and copying – are organised and managed by a single, intelligent platform that often provides proprietary physical secure access control. Such a system is further interconnected with other IT systems like mail services, file systems, active directory services and many others. Each of these systems usually contains personal data and therefore poses a risk if not set up and managed correctly in line with the requirements of the new regulation.
Looking at the typical enterprise workflow solutions management setup, which includes network printing, scanning, copying and managing physical access to MFDs, there are a number of obligations related to the providing organisation under GDPR. This includes:
To have all personal data that is processed by any of the services identified
Personal data, according to GDPR, is any information relating to an identified or identifiable natural person (data subject); such information obviously is not restricted to traditional identifiers such as name, surname, address or an email, but contains all the possible electronic identifiers such as location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
Processing of personal data by enterprise workflow solutions must be secure
Appropriate technical and organisational measures have to be taken by security personnel at the organisations to prevent unauthorised access to and disclosure of personal data. For enterprise workflow solutions, this can be achieved by encrypting data lines wherever possible, control of physical access to the devices and also by implementing appropriate security policies within your organisation. It should be noted that by 2016, a striking 62 per cent of security incidents were caused by human error, the remaining one third of the risk can be mitigated by using a secure solution.
Incidents have to be reported to the data protection authority
Contrary to the former common practice of covering personal data leaks in an effort to protect goodwill on the market, every security incident resulting in a personal data leak must be reported under GDPR within 72 hours of discovery, unless the organisation is able to prove that the breach is unlikely to result in a risk to the rights and freedoms of data subjects because the leaked data was sufficiently encrypted.
Organisations processing personal data must therefore comply with a number of data subjects’ requests, including; right to access, right to rectification, right to be forgotten and right to restriction of processing. Personal data processed within a workflow management software falls within a sensitive data category and must be secured. It’s important to assess the different types of data you will have, in terms of what’s owned by your organisation and what’s owned by the individual, as well as looking at what data is structured and what is unstructured. These definitions will assist you to better understand whether the system is able to recognise whether processed data contains any personal data or not.
Large organisations will inevitably have a vast and complex setup in terms of print security. For organisations that have a varied assortment of MFDs, it is in their interest to seek counsel from experienced vendors, who fully understand the risks of an unsecure network connected to MFDs.
Privacy by design and the ability to perform their GDPR-related duties should therefore be a consideration for administrators and data protection officers when selecting the right enterprise workflow solution, or when evaluating current solutions ahead of GDPR coming into force.
The regulation is a reminder that, in order to remain compliant, businesses must re-examine their current security situation on all fronts. From there, organisations will have to act swiftly to put the suitable security measures in place in order to remain compliant. Companies must face the fact that print security is an aspect that must be considered if they want to avoid stringent fines.
Y Soft has prepared the “GDPR Compliance Guide with YSoft SafeQ 6 whitepaper to assist with understanding and complying with GDPR related to any company’s networked based print, copy and scan services. The guide is a reference for organisations considering an enterprise workflow solution to effectively manage their print infrastructure.
Martin De Martini, Co-Founder and CIO, Y Soft
Image Credit: StartupStockPhotos / Pixabay