This blog was published on the 2nd May 2017. Last edited: 29th April 2019.
GDPR - A Summary
The General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 (DPA) and came into effect on the 25th May 2018. It is in many ways similar to its predecessor and regulates the processing and holding of personal data.
But there are some major differences, which will have a very real impact on your business.
- What’s classified as personal data? The scope increases!
Firstly, the GDPR definition of personal data is different from the DPA to reflect on more modern, connected times and includes online personal information, such as IP Addresses.
Other information that will now also be classed as personal data include the following:
- Economic information
- Cultural details
- Mental health information
- ‘Pseudonymised’ data (for example, social media usernames or other online personas) - providing it can be easily identified
As a general rule, it’s best to assume that if a person can be identified from the information you have about them, i.e. name, telephone number, address, IP address etc., then it can be classed as personal data under GDPR.
- You need to demonstrate your compliance with GDPR
Secondly, as well as the new personal data inclusions, one of the most notable additions is the accountability principle:
“The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.” (GDPR Principles, Information Commissioner’s Office)
This could cause potential issues if you’re unable to show how you’re protecting the data you hold and how you are remaining compliant. It is a reason that print processes can come under scrutiny, especially if employees don’t think about what they’re printing and whether the data is protected under GDPR.
- New breach notification procedures are required - and there are time limits.
The third factor to consider under GDPR is the new rules that apply to breach notification:
“A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.”
“You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.” (GDPR Breach Notification, Information Commissioner’s Office)
- The penalties have increased - and they could prove disastrous.
The last thing any company needs is an accidental breach (or an intended data leak) by an employee that results in a large fine, a PR disaster and a lot of lost credibility.
The GDPR fines alone are enough to put some companies out of business, amounting to as much as €20 million or 4% of global annual turnover (whichever is greater).
It’s worrying to think that all of this can be the result of a poorly protected printing process.
How to keep printing & document processes GDPR compliant
To keep business operations and printing processes compliant, companies need a robust strategy to:
- Protect sensitive information that may hold in digital format, and prevent access to it by unauthorised individuals or those who don’t require it for legitimate business purposes.
- Prevent sensitive data from being printed - period, either on purpose or inadvertently, by those who may or may not have access to it.
- Detect possible breaches quickly and easily, in case they take place despite best efforts.
- Have documented processes in place to illustrate compliance and accountability for all of the above.
Many companies already put in place network security to stop intruders accessing data and information and this is a great starting point. Unfortunately, network security alone doesn’t prevent data being breached from the inside and doesn’t protect in-house printing of sensitive data. So how do you stop this from happening?
How do you stop documents being printed?
Everyone knows that modern multifunctional devices come with in-built security features like data encryption and image overwrite. Xerox devices even go so far as to include Cisco TrustSec to protect data paths, and McAfee whitelisting as standard on many devices.
Rules, restrictions and rights in your file structure or Document Management Systems will help prevent unauthorised people from accessing your data. And Card-based printing goes a long way to help with transparency and accountability.
But this alone is not enough to protect yourself under GDPR - one of the most common causes of data breaches is the inadvertent or accidental sharing of data, especially information printed on paper, which has been traditionally very difficult to prevent.
This is where things get smart. Using an advanced solution, it’s possible to automatically analyse print, scan and copy streams to detect and block the printing of any sensitive data before it is released by the printing device. It’s even possible to redact sensitive data from the document being printed/copied/scanned - without affecting the master document, or without the need for any manual intervention.
In addition, overlays like security stamps can be added as a rule when sensitive data is detected in a document, or alternative workflows can be triggered in order to send the document to a secure location for review before permission is granted to print it / copy it / release the scanned file.
Going one step further, security alerts can be triggered so those in charge of compliance would be aware of what is being printed and who is trying to print it. This could also be used to automate your breach notification procedure (Eg: an email is triggered each time a print is prevented, or released with redacted data).
This isn’t something every print management application can do but with an advanced setup, you can ensure sensitive data isn’t being printed, helping you to remain compliant with GDPR when it comes to printing processes.
With GDPR in place, it’s important to consider the business operations and processes that could cause an associated risk, including print.