Legislation comes into force in May. It changes how we look after information. Tough penalties exist for organisations who fail to protect data and keep information secure.
General Data Protection Regulation (GDPR), which supersedes the 1998 Data Protection Act, has been in force since last May. However, after a year’s grace, full compliance comes into force on 25 May 2018.
The EU legislation will ensure individuals have greater control of information held about them and who has access to it.
This will grant individuals easier access to their personal data. GDPR also requires businesses and other organisations to ensure that information remains secure.
For organisations that fail to protect data and comply, the penalties can be considerable. Fines reach up to 4% of annual turnover or €20 million (£17.47m) per breach, whichever is greater.
The legislation also extends to hard copies, whether sheets of paper left on a printer or overnight on a desk, or in the supposed security of a filing cabinet. The regulations and penalties apply equally to any size of company, from sole trader to multinational.
There is an obvious implication for internal IT support, as well as external IT support providers. However, the computer network is not the only potential entry point for a data thief.
HP Inc, the multifunctional device (MFD) / printer and personal computer division of the Hewlett Packard corporation, has even recruited Hollywood, in the person of film star Christian Slater, to highlight the potential dangers of unsecure printers in a glossy six-minute film, The Wolf.
In the film, Slater’s smooth criminal character uses a seemingly innocent email to access a company printer. From there he worms his way into the firm’s computer network.
With HP’s statistics suggesting that only 2% of the world’s computers are secure, the potential for such breaches are far more real than any Hollywood fantasy.
For Alex Main, Sales Director of Inverness based Highland Office Equipment, the evolution of the office copier from a device that just does your photocopying to a MFD that is a key element of the office network, means that the implications of GDPR are as much of an issue for customers with copiers and MFDs as they are for computer networks managed by themselves or their IT specialists.
“Over the past six months in particular, more and more people have been asking about GDPR and looking for advice. However, I still don’t think a lot of people appreciate that the new GDPR regulations will be here in May.
“People now scan and print information from mobile devices, and may even be printing in a different location. Or if you want to guest print in a location where you are not based or work from home, you need to have secure solutions for that as well. In the modern office environment with more people hot-desking, that becomes even more of a challenge.
“Modern devices have a USB port and people need to think about that too. Is it a place where information is vulnerable or can it be switched off?
“We can’t secure people’s networks, but what we can help with is secure printing, the tracking of printing, document management and encryption of documents, and we can make sure that your device is as secure as possible.”
Print and protect
The technology advances that have made the modern MFD a potential entry point for the bad guys can, on a much more positive note, provide protection against the use and abuse of data.
Printing can be delayed unless authorised by a secure personal code or PIN to ensure confidential material is not left lying around.
“You can also scan and encrypt print and create a password with that document that can then be delivered separately. So, a very simple bit of technology built into the modern MFD can give you an extra layer of security.
“But hard copy threats are just as much of an issue as digital threats because people do still keep hard copies of customer details. We can help by digitalising and storing data, but it has always got to be up to the customer to do their own housekeeping and ensure they are secure.”
Preparation is key to protect data
HOE is part of Capital Document Solutions and Capital’s IT Director Kevin Lorimer admits he learnt a lot in preparing the company for GDPR.
“It’s not just about computers, it’s about information in any form.
“Your PCs, your servers, but it’s also your MFDs, printers, fax machines, bits of paper, filing cabinets – even conversations. It’s all of that really.
“If you go to the Information Commission Office (ICO) website, you can wonder how on earth you are going to get all of that together in time, but some people don’t even get that far. The challenge is that GDPR isn’t just a law, it is a bunch of policies and procedures.
“So how do you get the message across to your staff in a way they understand?
“People understand security. They don’t leave their front door open when they leave the house or their car unlocked. How do you translate that awareness into a business sense?
“Well, it means don’t leave a bit of paper on the photocopier, have a clean desk policy, and adopt simple practical things like that.”
The legislation calls on any organisation of 250 employees or more to appoint its own Data Protection Officer, however Kevin said that did not mean smaller companies should think they will be overlooked.
“Smaller companies have this idea that it’s the large companies who will get caught out or receive massive fines, not your average small to medium business, but that’s not the case.
“And it’s not just about fines, it’s also about the reputational damage. If you are fined, that’s recorded on the ICO website forever.”
The other key message is that 25th of May is just the start for GDPR
Not the conclusion.
“Sometimes embracing the technology is easy – buy an anti-virus programme and stick it on the server and that’s it.
“What’s harder is countering some day-to-day mistake like the email going to the wrong customer or the payroll file that wasn’t encrypted.
“The important thing to remember is that it’s the bad guys we are all trying to stop. This is long overdue.
“This is good for individuals. You can go on a slick-looking website and put in your details, but you have no idea how that information is being stored or used.”
Kevin and his colleague Alan Banks visited HOE in Inverness as part of a series of company-wide roadshows preparing all company staff for the arrival of GDPR.
Words of advice
So what key advice would he share with others?
“One of the best things is to look at practical examples of potential breaches from within your organisation, but also from the ICO website.
“That’s when you can really relate to what they are talking about. It helps you realise that although the law is black and white, in practice it can be open to interpretation and sharing knowledge with all staff across the company can help you avoid the pitfalls.”
Capital and HOE’s advice on what you need to do to protect data now is:
- Start checking how your data is collected and processed.
- Review how you manage customer and personal data.
- What types of personal data do you handle? This can help you identify whether you need them all
- How do you gather data? Is it from a legitimate source? Has permission been granted for its use? How do you protect data?
- Look for support in local business communities and via online resources. There is a wealth of information out there.
- Have an action plan in place.
- Be proactive in contacting your customers to ensure your data is correct.