The General Data Protection Regulation (GDPR) is set to replace the Data Protection Act 1998 (DPA) on the 25th May 2018. We set out a summary of what the GDPR is and the key differences between the DPA and GDPR.
1. Who does the GDPR apply to?
The GDPR applies to ‘controllers’ (i.e. who determine how and why personal data is processed) and ‘processors’ (i.e. who act on the controller’s behalf). The definitions are broadly the same. The GDPR places specific legal obligations on the processor to maintain records of personal data and processing activities with significantly MORE legal liability if you are responsible for a breach.
2. How is personal data classified?
To reflect the international, cross-border, connected times that we live in – the GDPR definition of personal data is different from the DPA. Other information that will now be classed as personal information include:
- IP addresses
- Economic information
- Cultural details
- Mental health information
- ‘Pseudonymised’ data (for example, social media usernames or other online personas) – providing it can be easily identified
As a general rule – if the person is identifiable or potentially identifiable from the information you have about them then it can be classed as personal data under GDPR.
3. You need to demonstrate accountability and governance
In the DPA accountability and transparency were an implicit requirement of data protection law. It is now expected in the new GDPR that your compliance is explicit and your business must have in place a comprehensive but proportionate governance process to show how you comply with these principles. If your organisation has more than 250 employees you must maintain additional internal records of your processing activities.
It is here that print processes can come under scrutiny particularly if print users do not think about what they’re printing and whether the data is protected under GDPR.
4. New breach notification procedures…
“The GDPR will introduce a duty on all organisations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the individuals affected” ICO, 2017
A personal data breach is the breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. You only have to notify the relevant supervisory authority of a breach if it is likely to result in a risk to the rights and freedoms of individuals (e.g. discrimination, financial loss, loss of confidentiality) or any other significant economic or social disadvantage.
With a time limit of 72 hours…
“A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.” ICO, 2017
And big fines!
The ICO details that failure to notify a breach when required can result in a significant fine of up to 10 million Euros or 2% of your global turnover.
To prepare for breach reporting you need to make sure:
- Your staff understand what a data breach consists of and that it is MORE than a loss of personal data.
- You have internal breach reporting procedure is in place. This will help to facilitate decision-making about whether you need to notify the supervisory authority or the public.
5. How can you make your print/ scan/ copy processes compliant
You need a robust strategy to keep your business operations and printing processes compliant to:
- Protect and prevent sensitive data being printed
- Detect possible breaches quickly and easily in case they take place despite every effort to prevent them
- Document processes to demonstrate your compliance and accountability
Here are some of the solutions Nustream have to offer to keep your printing and document processes GDPR compliant:
Xerox inbuilt security features including data encryption and image overwrite. Xerox devices also include Cisco TrustSec to protect data paths and McAfee whitelisting as standard on many devices.
Secure print function which requires the authorised release of printing by the user through a PIN or a card prevents unclaimed documents being left on devices.
Yet one of the most common causes of data breaches is the accidental sharing of data which has been difficult to prevent. This is where things get smart.
Nustream offers intelligent print management solutions to enable IT administrators to set up automated workflows to detect specific patterns in documents (e.g. NI numbers, personal health information). It is possible to redact sensitive data from the document being printed/copied/scanned without affecting the master copy or without the need for any manual intervention. It can report any incidents of potential compliance violations to the Compliance Officer/Data Security Lead as an early warning system ahead of a potential breach. In addition overlays like security stamps can be added as a rule when sensitive data is detected or alternative workflows can be triggered so those in charge of compliance can be aware of what is being printers and who is trying to print it.
Whilst there is still 10 months before the new regulation comes into enforcement, it is vital that your business considers the implications of the new principles on your business operations and processes.