With devices such as printers, scanners and mobile gadgets capable of capturing and storing data from documents, how can businesses ensure they remain GDPR-compliant? Here are a few helpful tips.
Speaking to Antony Adshead of Computer Weekly, Vigitrust CEO Mathieu Gorge sheds some light on “the risks inherent in an organisation’s printing and document capture environment” and how to “incorporate it into your GDPR risk assessment strategy.”
Asked about the storage and document compliance worries when it comes to printing and document capture, Gorge explained, “First of all we should recognise that printing and document capture are the forgotten parts of the internal and distributed network from a compliance and storage perspective.”
He went on, “If we break it down, what really is printing and document capture. It’s essentially scanners, printers, whether networked or wireless, multi-functional printers/devices and mobile devices with cameras.
So, if I look at a standard multi-functional device, for example, it allows you to printing, scanning, scan-to-fax, scan-to-email and follow-me printing, which was created by HP a few years ago.”
Gorge continued, “As you can see, from a storage and compliance perspective, you start with one document and you end up with tens of versions of the document, which, again, end up being backed up.
Finally, from a mobile device perspective, all devices now come with cameras and it’s not unusual to use them to take a picture of a document and then email it or text it.” Gorge describes this as “a headache from a compliance and storage perspective” as “now the document is stored on a device and also on your network, and may also end up being stored on the network of the mobile provider.”
“And so,” he explains, “from a GDPR perspective, it’s important to map out how you actually use those devices, where they are and if you are taking appropriate security measures to protect that is sent or transmitted or stored from the device.”
When it comes to the appropriate management of your business’s printing and document capture environment, Gorge advises making sure it is “part of your risk strategy and of the technology that will protect your environment.”
This means performing a Privacy Impact Assessment (PIA). This also involves an asset inventory and the necessary implementation of technical security, including firewalls, the automatic purging of hard drives, and more.
“Finally,” he concludes, “you shouldn’t forget that you need to secure the devices from the physical perspective. The devices have hard drives that are as big as hard drives were in laptops from two to three years ago, and you can appreciate the amount of data that is being potentially being saved on those drives. It is important nobody can get physical access to those drives, as well as logical access.
So, it’s a mix of mapping the assets, training people, securing the physical hardware and then securing it from a logical perspective.”
