Businesses have always had a responsibility to protect the data they hold about their customers and employees, but on 25 May 2018 the new General Data Protection Regulation (GDPR) will replace legislation from the 1995 EU Data Protection Directive. Some legal responsibilities are affected. Here is what you need to know.
What is GDPR?
The aim of the EU's General Data Protection Regulation (formal reference: Regulation (EU) 2016/679) is to protect the security of personal data and bring it up date with current, previously unforeseen ways that data is collected, stored, and used.
The amount of personal data that businesses now store is vastly different to the data they stored in 1995. In 1995, search engines like Google, social networks like Facebook and digital marketing tools like Salesforce didn’t exist. The large volumes of data - Big Data - that these technologies generate was not adequately covered by existing regulations so the GDPR was created to provide relevant regulation for today’s digital world.
The processing of personal data is the main subject of the GDPR. Nearly everything that can be done with personal data is classed as processing, for example, if you ask your customers for their email addresses, if you store customer addresses in a database, or if you print a list of customer names. Personal data now also includes any online identifier too, such as an IP address.
Under the GDPR, as an individual, you can request a copy of any data that a business holds about you, and no data can legally be processed without your informed consent. This is to safeguard your rights as a 'data subject' and give you more say over how companies handle your data.
The GDPR brings tougher fines for non-compliance and breaches. Failure to comply will incur a potential fine of €20 million or 4% of a company's annual turnover - a good incentive for companies to take data protection seriously.
This new regulation will also make data protection law the same across the EU, helping to create a simpler system, especially for multinational businesses.
What the GDPR Means For SMEs
As a small to medium-sized enterprise or business, you will be expected to comply in full with the GDPR, as you did with your locally ratified version of the EU Data Protection Directive.
What the GDPR stipulates is that you should have an effective, documented, auditable process in place for the collection, storage, and destruction of personal information. You need “an effective, documented, auditable process in place for the collection, storage, and destruction of confidential information.” In very simple terms you need to know where all your data is and that it is safe.
While a lot of the focus of the GDPR is on online data, it applies to data stored physically too, which means that businesses need to consider what happens to the information that they print, copy, scan and store in paper form. A good way to think about this is to consider any information that passes through the printers and multi-function printers in the office.
Before you make any changes, it is useful to understand your current EU Data Protection Directive compliance, and then look at any additional actions you might need to be compliant with the GDPR.
Assigning a Controller and Processor
In the GDPR, and in all data protection regulation, there are important distinctions about the responsibilities of different people or companies, depending on what they do with data.
The Controller is the person or company who makes decisions about processing activities, that is, the natural or legal person within your organisation who, alone or jointly with others, determines the purposes and means of the processing of personal data.
The Processor is contracted by the Controller to perform the processing of personal data on behalf of the Controller. As well as being another person in the same company, the Processor may also be another company that the Controller sub-contracts.
While the Controller is strictly responsible for personal data, the Processor has many obligations under the GDPR as well, which create significant liability if not performed diligently and effectively.
Printing, scanning, copying, workflow and document management may not be the first thing that comes to mind when considering the GDPR, but these activities constitute “a processing” and are therefore subject to the Regulation the same as any other processing.
GDPR Security
All businesses holding personal data, both Controllers and Processors, will be obligated to have appropriate security in place. Regardless of the GDPR, it is essential to have adequate security and back-ups in place to protect you from online attacks which represent an increasing risk to all businesses.
Thinking about hard copies of information, documents left in printers could be regarded as a breach of personal data, so too could un-secure recycling bins. Thinking about digital copies of information that you might not consider, your networked MFP could be a point of risk.
Insecure printers can be a target for hackers who might want to steal copies of documents or use your networked printer as a platform to attack other systems.
MFPs themselves are generally full-fledged networked computers, with Unix, Linux, Microsoft Windows, etc. operating systems and standard network communication capabilities. Not all network administrators consider this, but all attackers do.
Like all connected devices and their associated infrastructure, MFPs and printers represent an ‘attack surface,’ for hackers, therefore, including them in security planning and audits will need to be a serious consideration in GDPR preparation.
Insecure printers risk misuse or disclosure of data (e.g. intruders obtaining copies of documents from device hard drives or “eavesdropping” on the typical insecure print network traffic) and provide the opportunity for cybercriminals to use the device as a platform to attack other systems (e.g. printers can be used as part of Denial of Service attacks).
How Sharp Solutions Can Help with GDPR Compliance
With less than a year to go until the GDPR comes into force, now is the time to get your business ready so that you can handle your customers’ data correctly.
Sharp offers a wide range of security solutions which can help. From security features built-in to Sharp’s MFP hardware, to secure print management solutions, [and] a Cloud-based service for storing and sharing electronic files, and managed IT Services including PC protection and secure back-up. Whatever your business size, we can help you protect your information, without putting any extra burden on your team.
For more information, including Sharp’s security guide, visit our Security White Papers.
