Sponsored

GDPR doesn't just apply to digital data

If you think GDPR only covers digital systems, it’s time to think again.

GDPR came into force on 25 May, giving individuals new rights and businesses new obligations when it comes to personal data. GDPR affects all personal data that companies handle, setting out new rules about what can be stored and processed and for how long, plus the responsibilities they have in terms of managing and safeguarding it. By now, most businesses will be aware of the headlines the new rights individuals have to have a copy of their data, or to have that data erased; the controls over retention and future exploitation; the new penalties that can kick in in the event of a breach. Yet there's one aspect of GDPR that's often overlooked; that it doesn't just affect information stored within digital systems, but also data stored or shared on paper.

It's understandable that companies are focusing on digital data, yet there's a real danger that, by ignoring paper-based files, photocopies and print-outs, businesses could still fail to comply or put themselves at risk of penalties. Of 598 data security incidents recorded by the UK's Information Commissioner's Office between July 2016 and September 2016, 40% involved paperwork, including loss or theft, posting or faxing to the wrong recipient, poor disposal or paperwork abandoned in an insecure location.

Breaking down the problem

GDPR doesn't apply to all paper-based documents. Specifically, it applies to files stored electronically within a system or files stored in a paper-based filing system that's structured and accessible according to specific criteria. In other words, some notes or a memo left on a printer probably wouldn't be covered by the new regulations, but if filed away in a customer's file or printed from an existing database, then GDPR would still apply. Files in a filing cabinet or archive, employee expense records, medical notes, filed documents and a company's HR records are all covered, whether or not they exist in a digital format.

Advertisement
Advertisement - Article continues below

What's more, paper is a key on- and off-ramp for digital systems. Forms and paper documents may be scanned and the data processed or archived, or photocopied and the copies distributed or stored. Printed documents, query results and reports can be printed or removed from the building, meaning printers and scanners need just as much protection as any laptop or PC. In fact, they've become a tempting and viable target for hackers, partly because so many sensitive documents pass through them.  

The first problem for businesses is that GDPR includes strict policies around data retention: companies need to manage their paper-based documents and ensure that information stored is only retained for an appropriate period and used in an appropriate way. Problem two is that the rights that apply to digital data also apply to paper-based documents; individuals have the right to get a copy of the information and take it elsewhere, and also the right to have the information a company holds on them erased. Problem three is that any information held on paper is still subject to the implementation of appropriate safeguards it needs to be protected.

This opens up some pretty big challenges for businesses. Simply keeping track of the information stored on paper is a big ask, particularly when we're talking about being able to find all data relating to an individual and copying or delete it. Safeguarding and managing access to that information isn't any easier, and few companies even think about how they secure their printers and scanners, so that paper-based documents can't cause a breach.

Taking control

What, then, can businesses do to ensure that paper doesn't become part of a GDPR nightmare? For a start, they need to get to grips with their paper-based data, auditing what's stored or processed, where this happens, and how printing and scanning works as part of the general flow of information through the company. The ideal is a comprehensive map of where this information is stored, how it's used, archived and deleted, and who has access and responsibility for managing it.

Secondly, companies need a way to index and search through their paper-based documents, so that they can live up to their GDPR obligations. This might be tied in with a digitisation project using document-management solution and multi-function printers; digitising and archiving paper files is a good way to make them more searchable and manageable not to mention find new ways to use the information held within.

Thirdly, GDPR is a great opportunity to review who has access rights to your paper-based documents, and whether and how these documents are copied. As a general rule, it makes sense to restrict access and scanning/copying capabilities to those who need them, and to ensure you have systems in place to track activities. What's more, it's an opportunity to rethink retention. While there are legal obligations within some industries, it makes sense to store only what you have to and shred it securely when no longer needed.

Guarding the gateways

Perhaps the most important step is to take control of printers, copiers, multi-function devices and overall print security, so that these devices are no longer the weak point in your information security strategy. This might involve the following:

  • Defining clear policies for printer and scanner security, then ensuring that all teams know what these are and why they're important. Once they understand why printed document security is crucial, staff are less likely to abandon print jobs at the printer or leave a sensitive document in an insecure location.
  • Using modern, enterprise-grade devices that support features like pull printing. With pull printing, users can set a document to print from their laptop or desktop PC, but the document won't print until authenticated with a token or PIN code at the printer. This helps ensure that print jobs aren't left sitting in the out-tray or taken by someone who shouldn't have access to them. These features are standard in HP's LaserJet and PageWide office printers.
  • Deploying printer management software and ensuring that printers tie into a Security Information and Event Management solution, covering the entire business infrastructure. This gives you an audit trail of what's being scanned or printed and by whom, and makes it easier to track issues, speed-up remediation and support compliance.
  • Using devices that are themselves hardened against attack, with features like secure, self-healing BIOS, firmware whitelisting, intrusion detection and file encryption plus built-in support for security management and compliance tools. With mature security features built-in, HP's latest LaserJet and PageWide office printers form a key part of a more robust approach to printed document security.
Advertisement
Advertisement - Article continues below

Technology alone won't fix a company's GDPR paper problem, but with the right hardware and the right software tools, it becomes much easier to monitor, audit and manage the flow of paper-based data. While GDPR might already be in effect, it's not too late for businesses to recognise the issue and remediate.

Find out more about securing your business printer fleet by downloading IT Pro's free report.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/innovation-at-work/24460/what-is-data-encryption
Security

A complete guide to data encryption

30 Sep 2019
Visit/office-printers/innovation-at-work/25093/inkjet-vs-laser-printers
Hardware

Inkjet vs Laser printers

12 Apr 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019