peshkova - Fotolia
Printing, document capture and compliance risk in the GDPR era
Printers, scanners and mobile devices that capture data from documents all store data in some way or other. How can you be sure to be compliant with GDPR with regard to that data?
From the point of view of compliance, printing and document capture devices are everywhere, and range from multi-functional printers and scanners to mobile devices carried by employees.
And every time a document is captured or printed it resides in storage on a device or somewhere else on the network. That risk needs to be dealt with, in terms of compliance.
In this podcast Mathieu Gorge, CEO of Vigitrust, talks about the risks inherent in an organisation’s printing and document capture environment – including from mobile devices – and how to incorporate it into your GDPR risk assessment strategy.
Antony Adshead: What are the storage and compliance concerns in printing and document capture?
Mathieu Gorge: First of all we should recognise that printing and document capture are the forgotten parts of the internal and distributed network from a compliance and storage perspective.
If we break it down, what really is printing and document capture. It’s essentially scanners, printers, whether networked or wireless, multi-functional printers/devices and mobile devices with cameras.
So, if I look at a standard multi-functional device, for example, it allows you to printing, scanning, scan-to-fax, scan-to-email and follow-me printing, which was created by HP a few years ago.
Scan-to-fax and scan-to-email is where you scan a document and it automatically sends it to your fax machine or to your email. If you do that it means your document ends up on your mail server and also on your backups.
More on storage and compliance
- GDPR puts tough requirements on organisations that store “personally identifiable data”. We look at what is needed to achieve compliance.
- Mathieu Gorge, CEO of Vigitrust, talks you through the key areas needed for compliance in storage of data subjects’ data and how to find it quickly on request.
With regards to follow-me printing the idea is that you send a printing document to a queue, whether in the cloud or on the server within your network, and you maybe travel to another office, authenticate on the printer and the document is there so you don’t have to carry it with you.
As you can see, from a storage and compliance perspective, you start with one document and you end up with tens of versions of the document, which, again, end up being backed up.
Finally, from a mobile device perspective, all devices now come with cameras and it’s not unusual to use them to take a picture of a document and then email it or text it.
Again, that creates a headache from a compliance and storage perspective, because now the document is stored on a device and also on your network, and may also end up being stored on the network of the mobile provider.
And so from a GDPR perspective, it’s important to map out how you actually use those devices, where they are and if you are taking appropriate security measures to protect that is sent or transmitted or stored from the device.
Storage and compliance
Adshead: How do you ensure your printing and document capture environment is managed appropriately from a storage and compliance perspective?
Gorge: You need to make sure the printing and document capture environment is part of your risk strategy and of the technology that will protect your environment. And so if you look at GDPR again, it requires you to perform a privacy impact assessment (PIA), should you believe the information or the data being dealt with could be put at risk.
And if you look at a printer or multi-functional device that is networked there is potential risk, so you need to include that in your PIA. To do that you need to do an asset inventory that’s going to allow you to see at the click of a button all the scanners, IP printers, multi-functional devices and any type of mobile device whether it’s owned by the employee or the company.
The next thing you need to do is to put in technical security around this: Firewalls, strong authentication, automatic purge of hard drives and so on. You can then train people so they understand the risks with regards to confidentiality, integrity and the availability of that data – the famous CIA concept – and provide them with dos-and-don’ts.
The best way to do that is through e-learning. For example, Vigitrust offers a very short dos-and-don’ts on secure printing that can be added to a traditional security awareness programme.
Finally, you shouldn’t forget that you need to secure the devices from the physical perspective. The devices have hard drives that are as big as hard drives were in laptops from two to three years ago, and you can appreciate the amount of data that is being potentially being saved on those drives. It is important nobody can get physical access to those drives, as well as logical access.
So, it’s a mix of mapping the assets, training people, securing the physical hardware and then securing it from a logical perspective.