Dutch data privacy campaigner Marleen Stikker had a revelation of the ‘Big Brother’ potential of digital technologies in 1994, just ten years after the iconic date of Orwell’s 1984. As a founder of Digital City – Europe’s first virtual community – Stikker was offered a demonstration of the dark side of what were then emerging technologies.
With the 25 May 2018 deadline for GDPR compliance on the horizon, asking the right questions now could save a headache – and hefty fines – for organisations in the long term.
With this in mind, KYOCERA Document Solutions has produced the following guide which tackles the main questions that businesses should be asking, from the most essential information on what GDPR is to the easily overlooked implications of the regulation on printer security and data management.
1. What is GDPR?
GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive (DPD) and The UK Data Protection Act 1998. It was approved by the EU Parliament on April 14th 2016 and involves the protection of personal data and the rights of individuals. Its aim is to ease the flow of personal data across the 28 EU member states.
2. When is GDPR coming into effect?
The GDPR became law in April 2016, but given the significant changes some organisations will need to make to align with the regulation, a two-year transition period was agreed.
GDPR will be enforceable, throughout Europe, starting on the 25th May, 2018.
3. Who does GDPR affect?
GDPR is applicable to any organisation which processes and holds the personal data of subjects residing in the EU. This means that it will also apply to organisations outside Europe – wherever the data may be stored and/or processed.
GDPR is also a regulation rather than a directive. This means that the same regulation is passed and is applicable across all 28 EU member states. This means there are no local clones or interpretations of the regulation in different EU states.
The regulation identifies two different roles, data controllers and data processors, both of which are equally liable and must demonstrate compliance of GDPR by adopting detailed processing of records.
A data controller can be defined as the individual or legal person who controls and is responsible for the keeping and use of personal information. A data processor, on the other hand, is the individual, public authority, agency or other body, which processes personal data on behalf of the data controller.
4. What constitutes personal data?
Personal data can be defined as information that relates to a person or ‘data subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, social network posts, or medical information.
Even information that you may not consider ‘personal data’ such as computer IP addresses or mobile device IDs are subject to the same law and must be protected accordingly.
Genetic data and biometric data such as fingerprints are also treated as sensitive personal data under GDPR.
5. What are the penalties for non-compliance?
The maximum fine that can be imposed for the most serious infringements is €20 million or 4 per cent of annual global turnover – whichever is higher – for any personal data breaches as a result of non-compliance. To put this into perspective, the current maximum fine that the UK Information Commissioners Office can levy is £500,000, meaning the new regulation represents a significantly greater penalty.
Not all fines stand to be this large. There is a tiered approach to fines which are dependent on the severity of the breach. The chances of being fined are reduced if the organisation is able to demonstrate a “secure breach” has taken place.
Ultimately, it is crucial that businesses understand that the fines for a data breach under GDPR are potentially huge and being non-compliant could lead to severe financial difficulties.
6. Do I need to appoint a Data Protection Officer (DPO)?
Not every business will need to appoint a DPO. It is only mandatory for organisations that deal with ‘large scale’ systematic monitoring of individuals, ‘large scale’ processing of sensitive data, or public authorities.
Regardless of whether the GDPR obliges you to appoint a DPO, it is advisable to have someone on your team that can fulfil this role, perhaps on a part-time basis or combined with other duties.
For organisations where a DPO is required, it’s important to note that this doesn’t necessarily have to be a full-time employee of the organisation. This function can be outsourced, if required.
The DPO must however have an independent reporting line (like most compliance officers), be empowered, and report directly to the Board without interference.
The appointed person must be a data protection professional with ‘expert’ knowledge of data protection law and practices to perform their duties and ensure the organisation achieves and maintains compliance.
7. What technologies can organisations implement to help achieve compliance?
Over and above the initial awareness required and the definition of an approach to tackle this issue, part of the solution required may be to implement a document/content management system.
Encryption, including PC, server, network and printer hard drive encryption, is also likely to minimise the impact in case of a data breach. Such tools will bring automated benefits in terms of personal data processing i.e. identification, classification, monitoring, tracking as well as the deletion retention timescales required to meet GDPR timelines and guidelines.
To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both on-premise and cloud environments, including the following:
- Servers, including via file, application, database, and full disk virtual machine encryption;
- PC and peripheral hard drives, including those found in printers, through encryption;
- Storage, including through network-attached storage and storage area network encryption; and
- Networks, for example through high-speed network encryption e.g. VPNs.
8. Could my printer be a weak spot when it comes to security and protecting data?
Today’s office printers and MFPs have come a long way from the standalone basic devices that once existed. They are now intelligent networked assets, that like a PC, contain a screen, a keyboard, a hard drive (which can potentially store sensitive information), and an Operating System (OS).
Increased cybercriminal activity is highlighting networked devices, including printers, as weak links in the defence against corporate data theft and malicious attack. Printers, if not properly managed, have certain vulnerabilities that if exploited, can allow attackers to breach a business’ network.
9. How can I address these security threats?
Thanks to many innovative in-built security measures, KYOCERA MFPs are well-equipped to help with GDPR compliance.
Plenty of additional print, scan and copying security tools are also available, helping to make print and document management more secure. Biometric identification and user authentication such as KYOCERA Net Manager that only releases print jobs once a user has identified themselves at an MFP, as well as data encryption, data overwriting processes and automatic deletion processes are examples of the measures available to ensure security.
Many enterprises overlook printer security and therefore could be infected by malware that ends up compromising the entire network. To make sure that the network is prepared for GDPR, organisations must take immediate action to incorporate MFDs into their overall data protection strategy.
10. What steps can I take to improve data management for GDPR?
The implementation of a technical solution(s) will make compliance with GDPR, easier and more efficient when compared to manual processing. It is also probably the most cost effective option to progress, taking into consideration the following GDPR requirements:
- data accuracy
- immediate access
- data retention and erasure
Many companies will not know how to approach and start classifying data, which may incidentally be stored across many IT systems. There are many automated data classification and processing technologies now available on the market, including those from KYOCERA, that can be used as a solution in this area.
GDPR also provides a good opportunity to cut-down on paper based records, which are harder to keep track of and could put you in breach of the consumer’s “right to be forgotten” if you are unable to find and amend these documents due to disorganised filing systems.
By integrating a multifunction system from into the workflow for scanning documents, you can transfer paper-based documents and to an electronic file quickly, easily and securely.
Where can I find more information on GDPR?