Skip to main contentClick to view our Accessibility Statement or contact us with accessibility-related questions.
Stylus and tablet

EU General Data Protection Regulation: 5 Implications for the Print Industry

The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. If your organisation handles personal data of EU individuals, you must comply or face fines of up to €20m, or 4% of annual global turnover.

So what does the new regulation mean for the print industry? Here are five important starting points:

1. Understanding “Data Controller” and “Data Processor” The first step for any company in the print industry is to understand whether they are classified as a data controller or data processor. Both have obligations under the new regulation. A “data controller” determines the purposes and the means for which any personal data is to be processed (e.g. a bank) and a “data processor” processes that personal data on behalf of the controller (e.g. a print company).

Organisations, regardless of classification, may need to appoint a data protection officer (DPO). Working alongside other departments, DPO tasks include monitoring compliance with GDPR, advising and informing the organisation and its employees about their obligations, and acting as the point of contact for supervisory authorities and individuals whose data is processed.

2. Records of Processing Activities Under the new regulation, both data controllers and data processors are required to maintain records of data processing activities and make those records available to supervisory authorities if requested.

How should data processors keep track of the flow of data? One way could be to conduct data mapping exercises that provide a comprehensive view of the data being collected, processed and held, and that trace the flow of data among business units and sub-processors or third parties. These mapping exercises would also need to be repeated as changes may occur in the way data is collected, or systems, processes or procedures may be changed during the lifecycle of the data.

3. Individuals’ Rights Close oversight and tracking of personal data is essential to comply with GDPR’s strengthened rights for individuals, which may include the right to be informed, the right to data portability and the right to erasure (also known as “the right to be forgotten”).

Say an individual wishes to have their personal data erased or, if appropriate, the processing of the data stopped. Print companies, as data processors, may be required to assist data controllers with access requests. This would require data processors to locate specific personal data for removal or destruction at the behest of a data controller or individual.

4. Security and Privacy by Design The new GDPR reporting window for data breach notifications, which allows data controllers 72 hours to report data breaches to the supervisory authorities, has gained significant attention. The GDPR also requires data processors to notify data controllers without undue delay after becoming aware of a personal data breach.

To avoid the fines and harm to reputation that a data breach can cause, the print industry must maintain a higher standard of security than ever before. Print companies should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

With the advent of the Internet of Things (IoT) and more wireless devices with access to networks, new cyber-security threats have emerged that have an impact on printer technology. Modern printers and smart devices call for a multi-layered approach to security that spans intrusion prevention, device detection, document and data detection and external partnerships with security specialists. Securing personal data, such as via encryption, is imperative. When data is no longer required, it should be appropriately erased.

In addition, product features such as access control (ensuring only authorised users have access to print devices) and secure print (only releasing print documents when the user enters their unique PIN number) help to address security concerns.

As the task of vetting security becomes increasingly onerous, it is likely that security service level agreements (SLAs) – including commitment to data encryption and two-factor authentication – will appear in contracts more frequently.

5. Network Consolidation Many transactional print projects use multiple partners for complicated direct mail campaigns (one agent for inserts, one for letters, one for collation, etc.), which decreases control over the content and increases the risk of exposure.

The GDPR’s requirements could result in an increase in business for larger OEMs. Customers may seek the safety of a one-stop shop that manages sub-processors across all geographic locations and provides infrastructure, security and automated reporting within a controlled environment.

With GDPR now in place, it’s time to be prepared for the significant changes it brings to the print industry. It’s time for print organisations, amongst others, to assess their data processing activity, seek out expert advice, and develop a systematic approach.

Contact Us


The content of this article is provided for general informational purposes only and is not intended to be used as a substitute for specific legal advice or opinions. Xerox disclaims liability for any actions or inactions taken based on the content of this article.

Xerox employs a cross-functional Core Privacy Team tasked with ensuring operational readiness as a global citizen and service delivery vendor. We fully expect to be able to meet our compliance obligations under the EU General Data Protection Regulation.

Related Articles

  • Man printing from a print kiosk.

    IESE Business School Case Study

    Discover the strategic impact of Xerox Managed Print Services on a leading global business school, propelling the institution into a new era of digitisation while enhancing the student experience.

  • Blue geometric building panels

    Xerox named a Leader in Quocirca's MPS 2022 Landscape Report

    Xerox continues to lead in the Quocirca MPS vendor assessment, based on strategic vision and depth of service offerings, including cloud, digital workflow, security, and analytics.

  • Fingers typing on a keyboard, overlaid with security lock icons

    Putting Zero Trust first.

    Your security is our top priority. See how our products and services support your Zero Trust initiatives.

  • Aerial view of Bahrain

    National Bank of Bahrain Case Study

    Discover how Xerox helped the National Bank of Bahrain to optimise its print management. Read on to find out more about the managed print solutions used.

  • A group of people meeting in a brightly lit conference room

    IDC MarketScape: Worldwide Cloud MPS Hardcopy 2022 Vendor Assessment

    Xerox named a Leader for our Managed Print Services (MPS) suite innovations in print and print-related services, including remote monitoring, content capture and data protection.

  • Doctor examining a child

    French Non-Profit Association Case Study

    See how Xerox helped boost productivity and accessibility for one of France's most significant non-profit organizations with the help of our Managed Print Services and Workflow Central Platform.