A guide to understanding the implications of GDPR on print and document management

Transcription

1 There are better ways to ensure your documents and print are GDPR compliant A guide to understanding the implications of GDPR on print and document management

2 What is GDPR? f f General Data Protection Regulation Comes into eect on 25th May 2018 f f Aects how organisations process personally identifiable information Organisations must now demonstrate they have taken the correct, pre-emptive actions to protect personal data appropriately Additional emphasis on putting procedures in place to detect and investigate personal data breaches as well as the legal requirement to report them within 72 hours f f Failure to comply may result in a potential fine of up to 4% of annual revenue or 20M whichever is the lesser figure IDC found that over 50% of IT decision makers thought GDPR excluded print 1 Areas to consider: With many organisations still reliant on printing, scanning and faxing to support key business processes, it is essential that any meaningful measures towards GDPR compliance must take into account protection of networked printers and MFPs. End point Security Networked printers and multifunction devices (MFDs) are often overlooked when it comes to wider information security measures. Yet these devices store and process data, and as intelligent devices have the same security vulnerabilities as any other networked endpoint. With Quocirca s recent research revealing that 61% of large organisations have admitted to a print-related data breach 2, organisations cannot aord to be complacent. Today s smart MFDs have evolved into sophisticated document processing hubs that in addition to print and copy, enable the capture, routing and storage of information. However, as intelligent networked devices, they have several points of vulnerability. A printer or MFD could be regarded as an Internet of Things (IoT) device and as such, left unsecured, is an open door into the entire corporate network.

3 As critical endpoints, printers and MFDs must be part an overall information security strategy. This should ensure that all networked printers and MFDs are protected at a device, document and user level. This means, for instance, that data is encrypted in transmission, hard drives are encrypted and overwritten, and devices are protected from malicious malware. Given the complexity of print security in large organisations, particularly those with a diverse fleet, Quocirca recommends the first step for companies is to undertake a comprehensive security assessment to understand the internal and external risks and the risk of unprotected data on printer/mfds 2. Organisations should select vendors that can address both legacy and new devices and oer solutions for encryption, fleet visibility and intelligent tracking of all device usage. A common misconception is that endpoint security is suicient for GDPR compliance. But to protect personal data you must consider how documents are being printed, how documents are moving around your organisation and how employees are sharing them. Print Management Print management solutions not only provide the means to print securely, but also provide: The ability to release print jobs in a secure manner based on user authentication The flexibility and convenience for users to collect print jobs from any enabled device The ability to track and report on usage providing accountability Job detail masking which means sensitive print jobs are invisible Content checking and redaction before documents are printed protecting sensitive data Ability to prevent unauthorised access to devices It is also worth considering USB printing devices, these are typically located in private oices of senior sta. Although usually more diicult to access, they too should be considered with GDPR in mind. Xeretec oers a portfolio of print management solutions including: Equitrac, PaperCut and SafeCom. Our experienced technical team can advise on which solution will best suit your business needs.

4 GDPR demands the right to be forgotten. Scanning solutions have the ability to identify and remove key words, phrases and patterns with a full audit trail. Scanning and document management Fax solutions We all know is not particularly secure and it creates duplicate versions. However, Scan to is the most popular scanning function on an MFD. This can result in your business documents being in multiple places with no audit trail or visibility of who has access. Document management solutions allow users to send and store documents directly to centralised folders or to individuals. Xeretec oers a portfolio of scanning and document management solutions including: DocuShare, AutoStore, ecopy and Output Manager. Government, finance and healthcare are sectors that still rely heavily on fax. Often incoming fax transmissions from or to traditional fax machines will result in unattended documents. Secure fax solutions send and receive faxes directly to designated individuals removing the risk of unattended printed output. Xeretec oers a highly recommended fax solution XMedius.

5 Important steps to take: Assessment In order to identify potential risk areas, we would recommend undertaking a full security assessment of the printer infrastructure to identify any security gaps in the existing device fleet. This should be part of the broader Data Protection Impact Assessment (DPIA) that an organisation may conduct internally or using external providers. Recommendations can be made for ensuring all devices use data encryption, user access control and features such as hardware disk overwrite (erasing information stored on the MFD hard disk). Also, look to use endpoint data loss prevention (DLP) tools at this stage to gain insight as to what information could be transferring via an MFD (for instance scanning personal information via the MFD to or cloud storage). Our in-house software development team have developed a dynamic business analytical platform called Vision to provide you with a detailed view of your print environment, without the need for endless spreadsheets and reports. It combines analytics with powerful what if scenarios that enable Vision to easily identify ineiciencies and provide solutions for a more eective Managed Print Service. Monitoring and Reporting In order to monitor and detect breaches, ongoing and proactive monitoring ensures devices are being used appropriately in accordance with organisational policies. More advanced print security controls use run-time intrusion detection. Integration with Security Information and Event Management (SIEM) systems can help accelerate the time to identify and respond to a data breach, which is key to GDPR compliance. You could also consider third-party managed services support in order to streamline data logging and security intelligence gathering. GDPR s demanding reporting requirements can be addressed through reporting usage by device and user. This will highlight any non-compliant behavior or gaps in controls so that they can be identified and addressed, and allow audit trails to be created to support the demonstration of compliance. Conclusion If you are just considering end point security as part of your GDPR compliance plans you may be overlooking areas that put your business at risk of a breach. Our technical team can help you proactively assess your security, print and document management processes and recommend solutions to address potential risks. Ultimately print and document security is part of a broader GDPR compliance exercise, and it is vital that organisations act now to evaluate the security of their print infrastructure.

6 For more information: Please visit For more general information about GDPR visit: Xeretec is a leading integrator of digital print hardware, software, solutions and services, supporting the print needs of businesses across the UK, Ireland and Western Europe. Established in 1991, Xeretec has grown to become both Xerox s largest UK managed print service provider and its largest reseller in Western Europe in terms of scale, enhanced Managed Print Services and heavy and light production print technology. Xeretec Ltd Xeretec Xeretec 1 -IDC GDPR Awareness and the Role of Print #EMEA (June 2017) 2 - Quocirca: Managed Print Services Landscape, 2017 xeretec.co.uk Xeretec.