The entry into force of the General Data Protection Regulation (GDPR) last 25 in May, has finally defined at European level the delicate issue related to the management of data that private companies and public bodies deal with on a daily basis.
For many years, legislation has allowed individual countries to implement regulations at the purely national level that, although rigid and clear, were not adequately harmonized to address the long-standing process of globalization. This could generate flaws in the system or an unclear definition of responsibilities that obviously led to an inconsistent protection of the subjects.
Today, employees of any level and responsibility are required to know the legislation and to adopt behaviors and use processes that protect the personal information of customers, suppliers and employees in the best possible way.
Without going into the well-known normative bases, and on the consequences that can derive from an incorrect management of the data or the systems used to store them (the theft of the same data or their use for illicit purposes are just two examples deriving from incorrect management), it is important to underline that not only the aspects related purely to the computer environment are punishable by attacks.
It is too often a common opinion that attacks can only come from the network, for example through a malfunction of the intrusion protection system (firewall), but it is good to remember that the information does not circulate exclusively through e-mails or through social media Network but also on paper (prints of files and photocopies are two examples).
Multifunctional systems and printers are an integrated part of the administrative and communication process. Generally they are interconnected to the network and generate, create and manage information like a Personal Computer. Precisely for this reason they must be the subject of adequate attention and protection, as the printed document contains the same personal information as the file, very important information from a legal and therefore protected point of view. Furthermore, it is necessary to consider that even today the paper document is used to store and manage the most important information.
It is therefore sufficient to forget any document on the output tray of the paper, or leave it unattended for a few minutes before going to pick it up, to put at risk the data of the company or of the people who work there. Anyone can read the content and use that sensitive information for personal purposes, damaging, even involuntarily, the person involved or causing damage to the company that owns the data
Considering that today personal peripherals are in many cases supplanted by departmental systems that serve groups of people more or less large for cost optimization needs, the correct management of printing systems is even more important as more people share the same tool, it will therefore be necessary to be even more careful to make clear who is responsible for a press process.
A simple example of what can happen:
Subject A, which we call Antonio for convenience, prints his salary slip, the print is regularly deposited on the multipurpose tray located in the corridor. At the same time the subject B, Bruno, is making a photocopy and by mistake together with his package also picks up his colleague's slip.
Bruno discovers that Antonio earns much more than he does and uses this information for his benefit or simply divulges it to others.
Antonio suffers damage (financial data is considered "sensitive") and can report the fact. The company, if involved, must demonstrate that it has made available to employees the tools and processes to avoid these situations. Bruno will certainly be subject to sanctions, and the company will have to show that the print management system was designed properly.
Compliance with the GDPR Regulation requires companies, among other things, this last aspect or the use of processes and systems to prevent the theft of personal information of third parties.
But then, given the relevance of the problem, what are the main steps that must be implemented by companies and institutions to achieve compliance with the GDPR in relation to their printing systems?
Following the logical flow of operations it is fundamental that 3 basic steps are kept under control, which we simply summarize below:
1. SECURE NETWORK INFRASTRUCTURE
It is essential that the network infrastructure is secure and controlled, after which the print devices must adopt systems that guarantee protection such as user authentication, deletion of latent data on the hard disk, encrypted network communication and native data encryption. Last, but not least, the adoption of a special software that makes the printing process secure.
2. SECURE PRINT FLOWS
The printouts must be released by the printing system only in the presence of the user who will have to authenticate (better with authentication to 2 factors), entering on the display user name and password or even through company badge. The user will also have to wait for the end of his print to pick up the documents avoiding leaving any sort of information unattended on the delivery tray. It is also important that the print queue management software also handles printer errors, preventing a document from being released unexpectedly after the resolution of any sort of possible malfunction.
3. TRACEABILITY OF COMPLETE WORKS
In order to rediscover any event, it is essential to keep track of the print jobs with special computer records and reports containing all the data related to the document through the use of a specific management software. The centralized management software and related reports should also allow the deletion of any information of a given user in case of request for the application of the right to be forgotten.
As a further safety factor, it is possible to use watermarks and digital signatures on the document, to directly identify the source, and to store on a secure server a copy of each print produced for an accurate and complete historical record.
To conclude: Everyone needs to use secure printing systems, but in some organizations they can not do without it. Examples are Banks, Defense and all related activities, Government Bodies and also all the companies that are increasingly operating in the field of e-commerce. In these environments it is important to use certified systems. The most recent is the HCD PPV1 which imposes strict compliance standards, recently adopted by Sharp systems.
Naturally all this can not be improvised overnight.
In fact, in addition to knowledge of the internal processes of the company, it is necessary to master the international safety regulations.
To learn more:
https://www.sharp.it/cps/rde/xchg/it/hs.xsl/-/html/information-security.htm
(photo: web / US Army)
