Quocirca’s recent research reported that almost two thirds of large organisations have experienced a print-related data breach1.
It is less than 7 months until the General Data Protection Regulation (GDPR) goes into effect. Are you ready? If you are like most organisations, the answer is probably no.
But with 100% compliance required on May 25, 2018, and fines of up to 2-4% of global revenue for non-compliance or a 20m turnover, whichever is higher, the pressure is on.
Networked printers and multifunction printers (MFPs) store and process data in the same way as other intelligent devices and share the same security vulnerabilities as any other networked endpoint, yet when it comes to wider security measures they are often overlooked.
Time is running out so you need to ask yourself –
- What critical questions you need to answer under the GDPR
- Why data governance is critical to ensuring GDPR compliance and
- Know how to implement a new approach to data protection and privacy
What is GDPR?
From 25th May 2018, any organisation that controls or processes personally identifiable information about EU citizens must have stringent organisational and technical measures in place (i.e. a privacy by design) to comply with the GDPR.
- While GDPR is an EU regulation, it effects any organisation that handles the personally identifiable information of an EU-based individual, whether or not the organisation is based in the EU.
- The GDPR sets out a range of measures an organisation must take to protect personal data, including the appointment of a data protection officer where necessary, and the maintenance of detailed documentation to prove compliance.
- The GDPR focuses on the concept of accountability, shifting the burden of proof from individuals to organisations. Organisations must now demonstrate they have taken the right, pre-emptive actions to protect personal data appropriately.
Also included is the need to have robust procedures in place to detect and investigate personal data breaches as well as report them within 72 hours to a relevant authority and in high risk cases to affected individuals. The GDPR also mandates the performance of a Data Protection Impact Assessment (DPIA). Organisations must formally establish how they process, store, share and dispose or personal and sensitive information and apply appropriate organisational and technical measures.
The new data security requirements of GDPR
GDPR (Article 32) motivates an organisation to find, implement and revise effective security measures in response to the rapidly changing threat landscape. While some organisations will implement technical measures directly, others will turn to third parties like us to help protect their data from unauthorised use, access, loss and corruption.
Amongst the technical and organisational measures enforced by the GDPR, is the need to protect personal data against unauthorised processing and accidental leak and theft. Preventing unauthorised access to electronic communications networks and the distribution of malicious code is a key part of GDPR network and information security requirements.
Organisations need to demonstrate complete control over information security in order to adhere to GDPR.
Securing the print environment
The MFPs of today are sophisticated document processing hubs that not only do the traditional printing and copying we are used to, but also enable the capture, routing and storage of information. These features have several points of vulnerability which left unsecured can leave an open door into your entire network, inadvertently giving access to unauthorised users.
The risks are real as seen in recent Quocirca research indicating that almost two thirds of large organisations have suffered a print related data breach.
Mitigating the print security risk and addressing GDPR compliance
- Assessment: A full security assessment of the printer infrastructure to identify any security gaps in the existing device fleet. Recommendations can be made for ensuring all devices use data encryption, user access control and features such as hardware disk overwrite (the erasure of information stored on the MFP hard disk). We can also look to use endpoint data loss prevention (DLP) tools to gain insight as to what likely PII could be transferring via an MFP (for instance scanning personal information via the MFP to email or cloud storage).
- Monitoring: In order to monitor and detect breaches, ongoing and proactive monitoring ensures devices are being used appropriately in accordance with organisational policies. More advanced print security controls use run-time intrusion detection. Integration with Security Information and Event Management (SIEM) systems can help accelerate the time to identify and respond to a data breach, which is key to GDPR compliance.
- Reporting: GDPRs demanding reporting requirements can be addressed through reporting usage by device and user. This will highlight any non-compliant behaviour or gaps in controls so that they can be identified and addressed, and allow audit trails to be created to support the demonstration of compliance.
GDPR is coming and organisations need to move quickly to put appropriate measures in place, for more information on the steps that should be taken to protect the print environment in light of GDPR, please contact;
Lee Young @ Retec Solutions on 03300 580 011
Credit to and Further reading at:
Free advice from the leading supplier of IT Solutions and Retail Technology.
Our team are waiting for your call. We would love to hear about what you are trying to achieve in your business and show you how technology can improve your performance and increase your profitability.