Search
The letters 'GDPR' are surrounded by cartoon images including a woman at a desk, a computer screen and a padlock.

General Data Protection Regulation

New rules came into play on 25 May 2018. Is your print fleet compliant?

Data Security

GDPR is about improving the safety of personal data, both for individuals and the businesses they use.

Why comply with GDPR?

GDPR can seem complex when looking at the extent of the legislation. Let us help you with your printer security vulnerabilities, and we can ease you through at least part of it!

Learn more about GDPR and Print

Back in 2018 we put together a summary of the GDPR and how it relates to your multifunction printers. It remains here (under the FAQs) for reference.

You’re probably aware that the Data Protection Act (DPA) of 1998 was superseded by the General Data Protection Regulation (GDPR), on 25 May 2018. GDPR is about putting the customer first; following the legislation is vital to protect your customers’ data and associated rights – not just because you risk huge financial and reputational consequences if you get it wrong.

It is essential to understand any security vulnerabilities in your existing print/scan/copy and CCM (Customer Communications Management) setup and address them. 

We’ve put together some information here to help you understand the GDPR, how it differs from the previous legislation in the DPA, and how solutions from First Copy can help you comply in the new legislative environment.

Please note that we cannot provide legal advice about the GDPR: we would direct you to the ICO and your legal representation for specific queries and have provided a ‘Further Reading’ section.

GDPR stands for General Data Protection Regulation. It applies to both data controllers and data processors. Simply put, controllers decide how and why data should be processed, and processors act on the controller’s behalf. The GDPR will apply to all organisations operating within the EU, as well as those outside it that offer goods or services to those inside. It has been confirmed that Brexit will have no impact on the commencement of the GDPR.

The GDPR, as the DPA, applies to the processing of personal data about a living person.  It covers the processing of personal data, including all automated and manual processing of that data. The existing principles of data protection stand and have been built on: you need to think about the information your business needs, how you store it (and how long for), and who is allowed access to it. You also need to consider how the data subject might access it, and their rights to see and influence what you keep.

Both controllers and processors could find themselves in breach of the Regulation and there is an obligation on both parties to ensure compliance. Processors have greater obligations under the GDPR than under the DPA, so it’s essential that your whole team understands the importance of information security. Non-compliance could result in significant fines.

A key thing your business needs to consider is what your lawful basis for processing personal data is – and therefore what rights individuals have to the data you collect, hold and use. For many businesses, as opposed to public authorities for example, consent is a necessary part of data processing. The GDPR makes a positive opt-in essential before you process data, and it must also be obvious how a person withdraws their consent for you to process their data, even if it’s as ‘simple’ as having you delete their email address from your mailing list.

This is a brief overview of your responsibilities as to how personal data should be treated. For more advice, see the ‘Further Reading’ section.

–       Data shall be processed lawfully, fairly, and in a transparent manner. Your organisation must only use data within the legislative framework, use it for the right reasons, and make sure that the data subject knows what you are going to do with it.

–       Data shall be used for a specified, explicit and legitimate purpose. It is not OK to use the same data for other things that have not been made clear to the data subject, or for anything incompatible with these values.

–       Data shall be adequate for its purpose, it must be relevant, and limited to what is necessary for its purpose. It is not acceptable to collect information you don’t need.

–       Data shall be accurate and kept up to date. You are required to take reasonable steps to erase out of date information, or update it if still relevant for its stated purpose.

–       Data shall be kept in a form by which individuals can be identified for no longer than necessary (some archiving in the public interest is allowed: see further reading).

–       Data shall be processed in a way that ensures appropriate security of personal data, including protection against unauthorised access or accidental loss.  

Much of this will be familiar from the DPA. Generally speaking, if your organisation relies on the consent of an individual to process their data, then they have stronger rights – for example, to ask you to delete the data you hold about them. Consent requires a positive opt-in (not pre-ticked boxes or something hidden in the terms and conditions), and you must provide an easy way for them to withdraw their consent. You do not need to refresh all existing consents ahead of the GDPR, but it makes sense to ensure you are meeting the standards from this point forward.

The GDPR brings a new accountability requirement: this is a big one. Practically speaking, you need to show HOW you comply with the principles. For example, you might document how you took the decisions you did about how to process the data you hold, ensure you record staff training, appoint a Data Protection Officer (DPO), ensure all breaches are notified and recorded within 72 hours, and hold internal audits. You also need to have proportionate governance measures in place to ensure privacy ‘by design and by default’. Essentially, you need to show that information security is not an afterthought in your processes.

First Copy cannot provide legal advice. If you would like to know more about the GDPR, we suggest visiting the following:

Overview of the General Data Protection Regulation (GDPR) from the ICO (Information Commissioner’s Office)

For specific legal queries about how the legistlation affects your business, contact your law firm.

You may also like to find a specialist in GDPR that can support you with audits and implementation.

Personal data refers to any information relating to an identified or identifiable natural person. This covers everything from their name and address to any identification number you might assign, or any piece of information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. 

The GDPR widens the scope of personal data to include online identifiers like IP addresses, social networking profiles and the like, and it’s even possible that pseudonymised data could fall under the data protection banner if it can be attributed to a particular individual. 

And that’s not all – certain types of personal data are sensitive. Under the GDPR, this is called ‘special categories of personal data’, and, while the categories are similar to those under the DPA, they specifically include genetic data. 

There are few exceptions to the GDPR, but the law doesn’t apply to the processing of personal data by individuals for purely domestic or household functions, or to the processing of personal data for the purpose of national security.

In summary, an individual has the right to:

– Be informed. You need to provide them with processing information, typically through a concise and plainly-written privacy notice that makes it clear how you use their personal data.

– Access. Individuals can ask you to confirm you are using their data, and access that data. You can no longer charge for this and there are rules about turnaround times.

– Rectification. You can be asked to correct information that is inaccurate or incomplete, and must, where possible, inform any third parties that you have passed the information to.

– Erasure (to be forgotten). Essentially, this means you need to delete personal data if asked to if there is no compelling reason to keep it.

– Restrict processing. Individuals can suppress or block data processing. Practically, this means you can store the data but not perform any further processing.

– Data portability. An individual could ask to obtain and reuse their own personal data elsewhere – for example by inputting it into other applications or services.

– Object. This applies where a person’s data is being used for profiling, for direct marketing (this one is particularly relevant in the print industry) or for scientific or historical research.

– Question decisions taken without human intervention. If any of your processing is based on automated decision making, ensure that you have procedures in place to deal with decisions made that might be damaging in some way to an individual.

There are many things to think about when it comes to achieving compliance with the GDPR, but First Copy can help you address any vulnerabilities in your print infrastructure and processes. Your print fleet is a networked security endpoint, and it is vital that it doesn’t get overlooked in your office’s wider GDPR strategy.

Here are some areas to consider:

WHO CAN ACCESS DIGITAL DATA FROM YOUR MULTIFUNCTION PRINTER (MFP)? 

Ensure that you prevent unintended data breaches by making sure that prints are released on printer when needed instead of lying on the machine for anyone else to find. Jobs can be released by PIN or swipe card – a relatively simple way to make a big improvement in your data security processes. Additionally, think about the unintended consequences of an insecure system from a deliberate attempt to access data from your machine – ConnectKey’s security measures are benchmark. Xerox ConnectKey Technology-enabled devices have a four-point approach to security:

–       intrusion prevention (user authentication and access controls)

–       device detection (Firmware Verification and McAfee Whitelisting technology)

–       document and data protection (encryption and document release controls)

–       external partnerships (eg with McAfee)

HOW DO YOU FIND OUT ABOUT POSSIBLE BREACHES AND PREVENT THEM HAPPENING?

First Copy can advise you about intelligent automated workflow solutions which can flag up potential breaches quickly, and even directly to your Data Protection Officer (DPO). There are solutions available which can actually prevent sensitive data being printed automatically, either by stopping it being printed, scanned or photocopied, or by redacting the sensitive information before printing. Alternatively, you could choose that jobs are diverted to a secure server for review before they are actioned. Ask us about Xerox Solutions for Compliance Management and how they can mitigate your risks and help you maintain audit trails.

IS YOUR PRINTER FLEET STREAMLINED?

A mixture of types of machine with different security measures, updates and access points, can bring unintended security gaps. Ensuring your print network is up-to-date and fit for purpose, with the best endpoint security available, helps to avoid these issues. ConnectKey Technology can bring a consistent user experience and consistency to your entire fleet.

DO YOU KNOW WHERE YOUR EXISTING VULNERABILITIES ARE?

The first step to building a compliant print infrastructure is to understand where any current vulnerabilities exist. First Copy can help you assess your current environment (something which you might already be considering as part of an office-wide Data Protection Impact Assessment) to see what level/type of encryption, user access control and other solutions you currently have. 

WHAT PROCEDURES DO YOU HAVE IN PLACE FOR ONGOING MONITORING AND REPORTING?

Ask First Copy about solutions that offer proactive monitoring of documents being printed, scanned and copied, and how any potential breaches can be flagged.

Learn more about security and solutions

Xerox always puts security high on the list of its priorities for devices and services. Learn more below.

App icons appear suspended over a laptop keyboard.

Xerox ConnectKey Technology

With ConnectKey and the Xerox App Gallery, you get security on your device straight out of the box.

An internet search bar image layered over someone's hands typing on a laptop keyboard.

Xerox Workplace Solutions

Browse a selection of our most popular software and solutions; both cloud and on-premises options.

A series of industry icons.

Find Solutions for Your Industry

Our website includes dedicated pages for several sectors and verticals. Find yours here.

A blond woman in glasses wearing a yellow jumper works on a laptop in her dining room.

Read Our Latest App Posts

Find our most recent blog posts, news articles, case studies and more about apps.

Recent Posts About Security and GDPR

Ask for a quote today

Our specialists are standing by to help you understand your options.

Fill in this form, or call us on 01223 811311.