GDPR Compliance: Can you afford to forget printing?
Thursday, May 03, 2018
by Linda van der Westen
What happens when someone prints a file? Normally, we expect a document to show up in the output tray of a printing device within seconds. But between the time a user clicks “print” and the moment the document is retrieved from the printer, a lot can happen… sometimes with security implications.
Depending on how the print infrastructure is set up, data will often travel over the corporate network. This can be a local network (LAN), but it can also be over a wide area network, or WAN. In some cases, the file can be sent to a server that is not even in the same country or continent. This is not something we tend to think about, but it does happen. While it may take less than a minute for the printer to start spitting out pages, the data may have travelled thousands of miles.
Even though printing speed has long been a concern for large enterprises (see our article on speeding up slow print servers), protecting data throughout the printing process has not gotten the same level of attention. The main reasons for keeping print jobs local usually involved improving print speed or eliminating reliance on a distant print server for processing the job by utilizing a local one or direct IP print connection instead. However, with the new GDPR soon coming into effect, data protection is a growing concern for large multinationals and smaller organizations alike. And printing is, or should be, a part of that concern.
Let’s have a look at what could happen if you disregard the print process. Personal information might be exposed after a file is printed. Or data might be intercepted as the files make their way across the network during the print process. Both situations are considered a data breach that must be reported. Furthermore, each could result in a potential fine up to 4% of annual global turnover or 20 Million Euros. In short, it is worth considering these risks and learning how your printing process can become GDPR compliant.
Let’s start by clearing up a common misunderstanding: implementing a secure pull printing or Follow (Me) Printing solution is not going to be enough. It may be one step towards GDPR compliance but it is not guaranteed to protect user data to the required level. What pull printing will do is ensure that printed documents will not be laying around in an output tray after they are printed but before the owner collects them. Which is certainly a measure to prevent a potential security breach.
But what happens if they are left unattended after they are picked up? How can we prevent printed material from inadvertently being exposed? Secure printing cannot prevent that from happening. Applying watermarks, however, can help identify confidential data and warn that others shouldn’t view it. Doing so eliminates yet another risk factor.
Earlier, I mentioned the printing process and the transfer of data over the network. If sent as clear data, this sensitive information can be accessed by other employees or even hackers. This may seem like an unlikely scenario, but it does happen more often than we expect. Why expose your organization to GDPR violations when you can just as easily protect this data by encrypting it?
Another piece of the compliance puzzle is auditing and reporting. How do you prove that you have had no data breaches? You can keep a record of all activity during the printing process by tracking who accessed what, when and where. You can also document what was done with the data (printed, copied, stored, scanned and/or emailed). This information is critical when being asked to certify GDPR compliance.
In summary, there are three areas to consider when printing, and secure pull printing is just one of them. You also have to ask what happens before a document comes out of the printer and what happens after it has been collected by the user. If you fail to consider these areas when implementing measures for GDPR compliance, your organization might still be at risk.
The Latin phrase “Praemonitus, praemunitus” (“Forewarned is forearmed”) is directly applicable. There is a lot to be gained by carefully considering all areas of your organization and them assessing the various risk factors within each area. Consider yourself forewarned.