Is your printer a GDPR danger zone?
For many SMEs, dealing with sensitive information is just another part of everyday operations. Whether you work within retail, healthcare, security, professional services, law or finance – or pretty much any industry, to be honest! – the chances are you’ll handle some form of personal data in your day-to-day work activities.
You may have heard of a little thing called the General Data Protection Regulation (GDPR), which is a new legislation devised to uphold the rights of individuals when it comes to how this information is obtained, stored and processed. Set to come into effect on 25 May this year, businesses across the EU – and the rest of the world – are now scrabbling around trying to prepare themselves for the changes as we speak.
You’re probably in the middle of your own preparations too (or at least you should be) – but have you thought about the part your printer plays yet?
Data isn’t just digital
A key element of the new regulation is that personal data must be processed in a way that keeps it secure. As stated by the ICO, this means organisations need to have adequate technical and organisational measures in place, to protect against unlawful/unauthorised processing and the accidental loss, destruction or damage of data.
So what does this actually mean within a typical office environment?
Well for a start, it’s important to be aware that the data that needs safeguarding isn’t just digital – anything that’s down on paper counts too, whether handwritten or printed. This might be in the form of customer names, addresses and phone numbers, or information relating to employees and job applicants. But whatever guise this data takes, the importance of protecting it remains the same.
Protecting your printer
The chances of you writing an entire customer database out by hand are admittedly slim to none – but think about how many times you print documents containing personal information. What if this fell into the wrong hands and the data was misused in some way?
Even if all individuals within your office have their own personal printer or eyes on the communal machine at all times – and the ability to ensure no one intercepts any sensitive documents that they commit from ink to paper – security measures should be taken where possible.
If your tech is up to speed, you should set all employees up with unique passwords or PIN numbers, to ensure that only the person printing can access the final documents. Of course, it’s only with more advanced machines that you’ll be able to implement such protective measures – and these fancy printers have additional GDPR obstacles of their own.
Falling within the bracket of multi-functional peripherals (MFPs), many of these can perform printing, faxing, scanning and copying functions via a WiFi connection. Not only are these linked to a company’s internal network, but they are often also accessible through employees’ various smart devices.
Smart doesn’t mean secure
Such advanced capabilities as these create security issues of their own. As we’ve explored previously, any device that’s linked to the internet is vulnerable to hacking, so it’s likely that the biggest security threats are lurking beyond your office walls. The failure to put effective protection in place could therefore lead to unauthorised users accessing the printer network – and any sensitive documents that have been sent to it too.
Plus, additional advanced features including the ability to scan to email/cloud/internal storage could also be exploited. If an untrusted user manages to hack into the network, for example, they could use these facilities to steal personal information in bulk and even redirect future communications to external addresses.
So, for machines empowered with these capabilities, it’s crucial that security isn’t overlooked. Make sure you don’t keep the default logins and passwords, as leaving these unchanged can open them up as an easy target for cyber-attackers. And your WiFi network should be secured with effective authentication keys anyway, but this is another example of why configuring your connection settings properly is so important.
Keeping it confidential
It’s also worth mentioning that how you dispose of any sensitive printed documents is crucial to GDPR compliance too. Confidential waste management has become something of a hot topic since the legislation started hitting the headlines and according to recent research, almost a third of UK SMEs are still failing to shred printed documentation containing personal/sensitive information.
It might seem unlikely that a misplaced mailing list or document containing phone numbers could cause much lasting damage, but what about things like passport numbers or home addresses? It’s a worst-case scenario, but enough leaked snippets of individually identifiable data can add up to far bigger problems, such as identity theft. So make sure you have a shredding policy in place – and that your employees stick to it!
For further advice on how to ensure your SME’s processes are compliant with the GDPR, check out our other blogs on the topic here! And if you’re need of some one-to-one advice, just give us a shout.