GDPR doesn't just apply to digital data

GDPR came into force on 25 May, giving individuals new rights and businesses new obligations when it comes to personal data. GDPR affects all personal data that companies handle, setting out new rules about what can be stored and processed and for how long, plus the responsibilities they have in terms of managing and safeguarding it. By now, most businesses will be aware of the headlines the new rights individuals have to have a copy of their data, or to have that data erased; the controls over retention and future exploitation; the new penalties that can kick in in the event of a breach. Yet there's one aspect of GDPR that's often overlooked; that it doesn't just affect information stored within digital systems, but also data stored or shared on paper.

It's understandable that companies are focusing on digital data, yet there's a real danger that, by ignoring paper-based files, photocopies and print-outs, businesses could still fail to comply or put themselves at risk of penalties. Of 598 data security incidents recorded by the UK's Information Commissioner's Office between July 2016 and September 2016, 40% involved paperwork, including loss or theft, posting or faxing to the wrong recipient, poor disposal or paperwork abandoned in an insecure location.

Breaking down the problem

GDPR doesn't apply to all paper-based documents. Specifically, it applies to files stored electronically within a system or files stored in a paper-based filing system that's structured and accessible according to specific criteria. In other words, some notes or a memo left on a printer probably wouldn't be covered by the new regulations, but if filed away in a customer's file or printed from an existing database, then GDPR would still apply. Files in a filing cabinet or archive, employee expense records, medical notes, filed documents and a company's HR records are all covered, whether or not they exist in a digital format.

What's more, paper is a key on- and off-ramp for digital systems. Forms and paper documents may be scanned and the data processed or archived, or photocopied and the copies distributed or stored. Printed documents, query results and reports can be printed or removed from the building, meaning printers and scanners need just as much protection as any laptop or PC. In fact, they've become a tempting and viable target for hackers, partly because so many sensitive documents pass through them.

The first problem for businesses is that GDPR includes strict policies around data retention: companies need to manage their paper-based documents and ensure that information stored is only retained for an appropriate period and used in an appropriate way. Problem two is that the rights that apply to digital data also apply to paper-based documents; individuals have the right to get a copy of the information and take it elsewhere, and also the right to have the information a company holds on them erased. Problem three is that any information held on paper is still subject to the implementation of appropriate safeguards it needs to be protected.

This opens up some pretty big challenges for businesses. Simply keeping track of the information stored on paper is a big ask, particularly when we're talking about being able to find all data relating to an individual and copying or delete it. Safeguarding and managing access to that information isn't any easier, and few companies even think about how they secure their printers and scanners, so that paper-based documents can't cause a breach.

Taking control

What, then, can businesses do to ensure that paper doesn't become part of a GDPR nightmare? For a start, they need to get to grips with their paper-based data, auditing what's stored or processed, where this happens, and how printing and scanning works as part of the general flow of information through the company. The ideal is a comprehensive map of where this information is stored, how it's used, archived and deleted, and who has access and responsibility for managing it.

Secondly, companies need a way to index and search through their paper-based documents, so that they can live up to their GDPR obligations. This might be tied in with a digitisation project using document-management solution and multi-function printers; digitising and archiving paper files is a good way to make them more searchable and manageable not to mention find new ways to use the information held within.

Thirdly, GDPR is a great opportunity to review who has access rights to your paper-based documents, and whether and how these documents are copied. As a general rule, it makes sense to restrict access and scanning/copying capabilities to those who need them, and to ensure you have systems in place to track activities. What's more, it's an opportunity to rethink retention. While there are legal obligations within some industries, it makes sense to store only what you have to and shred it securely when no longer needed.

Guarding the gateways

Perhaps the most important step is to take control of printers, copiers, multi-function devices and overall print security, so that these devices are no longer the weak point in your information security strategy. This might involve the following:

  • Defining clear policies for printer and scanner security, then ensuring that all teams know what these are and why they're important. Once they understand why printed document security is crucial, staff are less likely to abandon print jobs at the printer or leave a sensitive document in an insecure location.
  • Using modern, enterprise-grade devices that support features like pull printing. With pull printing, users can set a document to print from their laptop or desktop PC, but the document won't print until authenticated with a token or PIN code at the printer. This helps ensure that print jobs aren't left sitting in the out-tray or taken by someone who shouldn't have access to them. These features are standard in HP's LaserJet and PageWide office printers.
  • Deploying printer management software and ensuring that printers tie into a Security Information and Event Management solution, covering the entire business infrastructure. This gives you an audit trail of what's being scanned or printed and by whom, and makes it easier to track issues, speed-up remediation and support compliance.
  • Using devices that are themselves hardened against attack, with features like secure, self-healing BIOS, firmware whitelisting, intrusion detection and file encryption plus built-in support for security management and compliance tools. With mature security features built-in, HP's latest LaserJet and PageWide office printers form a key part of a more robust approach to printed document security.

Technology alone won't fix a company's GDPR paper problem, but with the right hardware and the right software tools, it becomes much easier to monitor, audit and manage the flow of paper-based data. While GDPR might already be in effect, it's not too late for businesses to recognise the issue and remediate.

Find out more about securing your business printer fleet by downloading IT Pro's free report.

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.