The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018. If your organization handles personal data of EU individuals, you must comply or face fines of up to €20m, or 4% of annual global turnover.
So what does the new regulation mean for the print industry? Here are five important starting points:
1. Understanding “Data Controller” and “Data Processor” The first step for any company in the print industry is to understand whether they are classified as a data controller or data processor. Both have obligations under the new regulation. A “data controller” determines the purposes and the means for which any personal data is to be processed (e.g. a bank) and a “data processor” processes that personal data on behalf of the controller (e.g. a print company).
Organizations, regardless of classification, may need to appoint a data protection officer (DPO). Working alongside other departments, DPO tasks include monitoring compliance with GDPR, advising and informing the organization and its employees about their obligations, and acting as the point of contact for supervisory authorities and individuals whose data is processed.
2. Records of Processing Activities Under the new regulation, both data controllers and data processors are required to maintain records of data processing activities and make those records available to supervisory authorities if requested.
How should data processors keep track of the flow of data? One way could be to conduct data mapping exercises that provide a comprehensive view of the data being collected, processed and held, and that trace the flow of data among business units and sub-processors or third parties. These mapping exercises would also need to be repeated as changes may occur in the way data is collected, or systems, processes or procedures may be changed during the lifecycle of the data.
3. Individuals’ Rights Close oversight and tracking of personal data is essential to comply with GDPR’s strengthened rights for individuals, which may include the right to be informed, the right to data portability and the right to erasure (also known as “the right to be forgotten”).
Say an individual wishes to have their personal data erased or, if appropriate, the processing of the data stopped. Print companies, as data processors, may be required to assist data controllers with access requests. This would require data processors to locate specific personal data for removal or destruction at the behest of a data controller or individual.
4. Security and Privacy by Design The new GDPR reporting window for data breach notifications, which allows data controllers 72 hours to report data breaches to the supervisory authorities, has gained significant attention. The GDPR also requires data processors to notify data controllers without undue delay after becoming aware of a personal data breach.
To avoid the fines and harm to reputation that a data breach can cause, the print industry must maintain a higher standard of security than ever before. Print companies should implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
With the advent of the Internet of Things (IoT) and more wireless devices with access to networks, new cyber-security threats have emerged that have an impact on printer technology. Modern printers and smart devices call for a multi-layered approach to security that spans intrusion prevention, device detection, document and data detection and external partnerships with security specialists. Securing personal data, such as via encryption, is imperative. When data is no longer required, it should be appropriately erased.
In addition, product features such as access control (ensuring only authorized users have access to print devices) and secure print (only releasing print documents when the user enters their unique PIN number) help to address security concerns.
As the task of vetting security becomes increasingly onerous, it is likely that security service level agreements (SLAs) – including commitment to data encryption and two-factor authentication – will appear in contracts more frequently.
5. Network Consolidation Many transactional print projects use multiple partners for complicated direct mail campaigns (one agent for inserts, one for letters, one for collation, etc.), which decreases control over the content and increases the risk of exposure.
The GDPR’s requirements could result in an increase in business for larger OEMs. Customers may seek the safety of a one-stop shop that manages sub-processors across all geographic locations and provides infrastructure, security and automated reporting within a controlled environment.
With GDPR now in place, it’s time to be prepared for the significant changes it brings to the print industry. It’s time for print organizations, amongst others, to assess their data processing activity, seek out expert advice, and develop a systematic approach.
The content of this article is provided for general informational purposes only and is not intended to be used as a substitute for specific legal advice or opinions. Xerox disclaims liability for any actions or inactions taken based on the content of this article.
Xerox employs a cross-functional Core Privacy Team tasked with ensuring operational readiness as a global citizen and service delivery vendor. We fully expect to be able to meet our compliance obligations under the EU General Data Protection Regulation.