Printing Processes in the Context of the General Data Protection Regulation (GDPR)

How to ensure your printing processes are EU GDPR-compliant

On May 25, 2018, the new EU data protection regulation (GDPR) became binding in all member states and applies to all IT processes in companies and government agencies. Therefore, each company must check whether its IT infrastructure is GDPR compliant and remedy any security deficiencies. An area frequently overlooked is printing, even though in this area there is an even greater demand for action.

The act regulates, among others, the processing and holding of personal data. For example, companies will be required to report any data leak within 72 hours (a so-called Security Breach Notification). In the event of a violation of the GDPR, high fines are to be imposed, which have been significantly increased when compared to the previously applicable regulations.

According to Section 3 (1) of the German Federal Data Protection Act (BDSG), personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject)”. In practice however, it is not always easy to see whether or not certain information can be assigned to personal data. As a rule of thumb, it can be said that whenever a person can be directly or indirectly identified, for example by name, telephone number, account data, address or even IP address, then the data can be considered as personal data.

 

Common weaknesses for print security:

• Personal data are transferred unencrypted via the network when printing
• Personal data are stored unencrypted on servers or printer hard drives during the printing process
• Sensitive data is printed to the wrong printer
• Documents containing personal data end up in the wrong hands at the printer’s output tray
• Printing devices are not adequately protected and can be misused by hackers as a gateway into the corporate network.