The General Data Protection Regulation will become law as of May 25th 2018. The main focus of the legislation is the use, storage and protection of personal data, defined as “any information which can be used to identify an individual”. This includes, but is not limited to, the below;
In short, if your organisation has customers, suppliers or sends and receive email communications, this legislation applies to you.
Unlike the Data Protection Directive that it replaces, the GDPR is a law, not a directive, and sets out a goal that all EU countries (and despite the Brexit vote, it will still apply to the UK) must achieve mandatory compliance. The Data Protection Directive was formed in 1995, a bygone era before the days of smart devices, the internet, connected devices and wide-area networking, hence the necessary update. The GDPR seeks to ensure that with access levels – and vulnerabilities – greater than ever, that personal data is suitably protected.
GDPR and accountability
The consequences noncompliance with GDPR are extremely severe. An organisation in breach of GDPR can be fined up to 4% of their annual global turnover, or 20 million Euros, whichever is greater, making this a penalty that very few organisations will be able to take lightly. The penalty remains the same regardless of the organisational size, so for small businesses, a breach could be devastating.
How does GDPR involve print?
Printers, photocopiers and multifunctional devices are now smart devices and network endpoints in their own right. Because of advancements in business productivity, enabling increased ease in the access and movement of information, modern printers have heightened levels of access to company networks.
The overwhelming majority of successful hacking attempts gain access to the network through improperly-secured endpoints, such as the devastating WannaCry attack on the NHS, which is thought to have gained access by exploiting a vulnerability in outdated SMB protocols used to network printers and other devices.
But it’s not just cybercrime that your organisation needs to be concerned about; there’s also human error and malicious activity within. Many organisations do not employ user authentication, or “pull printing” solutions to enable the collection of documents, meaning a document can be sat waiting on a device before being collected, or can accidentally be collected by the wrong person. Not only does this cause increased waste, it creates a security vulnerability; all it takes is for one sensitive document to be taken by an incorrect or unauthorised person, whether accidental or deliberate, and you’ve had a data breach.
The GDPR also seeks to promote accountability in these situations; many organisations do not monitor individual print activity. Therefore, if a sensitive document is printed, and goes on to find its way into unauthorised hands, there is no audit trail and no way to trace who printed it, who collected it and where it might have gone, and therefore no chance of preventing unauthorised usage of the information contained in the document.
Most modern printers now contain hard disks, flash memory and data storage, handling and processing hardware; if not properly secured, this represents a significant risk to data security. Not only can this be accessed by cybercriminals, but when the machine is sold, exchanged, returned or otherwise disposed of, the information stored on the device can easily be accessed. This can include complete histories of documents printed, and the information contained within them.
What can I do to ensure my print operations are GDPR compliant?
United Carlton will be happy to work with you to design, implement and maintain a managed print service which minimises the threat of data breaches involving your printer fleet, by securing print data, reducing human error and providing fully-transparent accountability and reporting of your employees’ print activity.
Our latest print hardware solutions contain encrypted storage, with automatic deletion procedures upon end of life, to ensure that information transferred to and by printers is not accessible to unauthorised third parties, either during or after the lifecycle of the device.
Pull-print and follow-me printing are included as standard with our managed print solutions, which come with a print management software suite, such as Papercut – meaning all documents must be claimed by the user who printed them, using an existing authentication protocol such as password, ID card / fob or biometric reading.
Rules-based controls can be implemented to restrict the printing from certain applications, to help control access to sensitive information by only authorised individuals, departments and job functions, however internal procedures and policies are still necessary for full compliance.
Full audit and reporting is also available with our print management software, with granular visibility of who printed what, when and where, which can help to provide accountability and transparency of user behaviour. As above, organisational policies are necessary for full compliance.
United Carlton will also train key users in the usage of the solutions and the importance of compliance and how they can avoid breaches; education is a key component of acceptance and adherence to new procedures, and can significantly reduce the human error factor.
11th April 2017 | Insights