Mick Heys
Vice President, European Imaging, Printing and Document Solutions
Companies globally who store or process data on EU individuals have until 25th May 2018 to comply with the EU General Data Protection Regulation or they may face damaging fines. Breach notification is mandatory and the relevant authority must be notified within 72 hours. A data breach is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stalled or otherwise processed.”
As IT organizations work on compliance, there is enormous focus on the electronic systems that store or process personal data. There is perhaps less emphasis on data created or stored on paper. However, it could be a costly mistake to ignore the print and paper processes used in your organization.
Audit companies that assess and advise on GDPR readiness and compliance have identified a common misunderstanding around the involvement and the extent to which printed material can be a risk.
“Any printed material which contains personal data is potentially classified as personally identifiable information (PII) under this new law – particularly so if it either contains special or sensitive personal information (such as details on health, race etc.) or is intended to form part of a filing system. Of course, appropriate security of this data is vital – and yet we typically find little real cradle-to-grave control over printed PII among the organizations we assess.”, says Peter Galdies, Development Director, DQM GRC.
It’s therefore important for organizations to understand that demonstrable and measurable control over all aspects of personal information management is vital for mitigating the consequences of any damaging data breach – including paying attention to the lifecycle and whereabouts of physical print.
The regulation mandates appropriate technical and organizational measures taking into account the “state of the art”, the cost, the nature scope and context of the data use and the associated risk. Companies need to start considering their current print and associated solutions and, if they are printing, copying or scanning any personal data, assess the associated risk and the security and audit features in relation to what would be deemed appropriate.
With a looming deadline and potential fines of 4% of global turnover or €20 million, (whichever the greater), it’s well worth looking at the GDPR requirements for print and paper in your organization now.
If you want to know more about IPDS and how it’s complying with EU Regulations, please contact Mick Heys.