With GDPR fast approaching, we have gathered inputs from Xeretec experts from numerous business functions, to gain an understanding of how GDPR will affect their business areas, and how they are focusing on driving positive change with the help of the regulation.
Our experts cover IT, HR, Solutions, Managed Print Service Operations and Sales. Read their segments below to learn their views on GDPR, how they are approaching it and how they are helping our customers where relevant.
Marino Keith – MPS Operations Manager, Xeretec
Data and analytics are at the heart of the modern, agile enterprise, which is a good foundation for a business environment soon to be governed by GDPR. Print management solutions offer a comprehensive array of security functions, which serves an even more important purpose in the context of GDPR compliance. Should a breach occur, print management solutions platforms will be invaluable in helping you to drill down to the information you need, as simply and as quickly as possible. Aside from the convenience and reassurance this provides, you also need to show how your business would respond to pinpointing the cause of a breach. The detail of information offered by analytics will enable you to show the breach occurred at, say, 15:00, the name of the contentious file and all the device and document data needed to detail how the breach happened.
Introducing a print management solution - while tightening up on best practice - will not only do much to help you prevent a breach, but it will arm you with the information you need to identify its cause, should one happen.
Jon McNamara – Head of IT, Xeretec
One piece of advice I would give to businesses, is to start the process of tightening up how information flows into, around and out of your organisation, now. Don’t leave it until a breach has occurred to start thinking about plugging any gaps. If you take that approach, and there is a breach, any investigatory body (such as the Information Commissioner’s Office), will discover you had no measures in place to prevent a breach, or no crisis management plan to reduce the impact of a breach. That negligence could well have a bearing on the size of the fine you receive – and these could be eye-wateringly high, depending on circumstances. It won’t be until the first breach under the GDPR regulation occurs that we’ll get to see how severe a fine will be imposed by any investigatory body in the event of a breach.
Outside of the scaremongering though, GDPR is a fantastic opportunity for any company to optimise their data and security landscape. This should be a consideration for companies at all times, and tightening up on it could well lead to improved efficiencies internally, optimised processes, and - if you’re getting rid of redundant data – a reduction in your data storage costs, too. Don’t be daunted by GDPR. It allows you to introduce new processes that could make your business more secure, productive and successful, as well as compliant with the GDPR regulations.
Andy Quy – Solutions Consultant, Xeretec
Although there has been a renewed interest in GDPR since the beginning of the New Year, one concerning misconception that I have become aware of, is that some businesses believe that GDPR doesn’t apply to print and document workflows. That’s a concern as they’re overlooking the requirement to ensure that their print – from devices to documents - is secure, too. It’s clear that there remains a lack of awareness on this matter, especially among SMEs. From what I have seen, larger organisations have been quicker to both recognise and respond to the GDPR challenge from a print and document management perspective.
Of those SMEs that are aware of their GDPR obligations, many are concerned that it will be arduous to manage and adhere to. From a print perspective, that really needn’t be the case. Once set up correctly, print devices and document workflows will need little investment by way of resource or finance in the long run to ensure that they are compliant.
Irrespective of their level of understanding, it really is important for businesses of all sizes to secure their print devices and document workflows. While some businesses have taken the right steps to protect the printers themselves, they haven’t really considered file management nor the flow of information in and around the business. They need to secure the workflow process end-to-end, and not just the device. One thing in particular that appears to be misunderstood is that end point security is sufficient for compliance. Unfortunately, this isn't the case.
Claire Robinson-Learoyd – Head of HR, Xeretec
From the early conversations I’ve had with colleagues and peers, I think there is a lack of awareness about the impact that GDPR will have on businesses. My impression is that the measures needed to be GDPR compliant are still underestimated.
However, I’m confident that if companies start to manage the process now, they still have time to get on board. I think a key starting point here is to re-educate people on data; namely, on what they can do and what they cannot do with it. It is really important for a company’s senior management to drive the cultural change needed that will ensure that this renewed appreciation for the sensitivity of data is maintained.
Of course, none of this is impossible and I think that there are three steps that most organisations can take now ahead of the May deadline. The first is… act now! If you have not started already, look at what data you have, where you use it, why you use it, who has access to it and build up a comprehensive picture of what data you hold. Then look at how it is secured and what improvements need to be made to improve security further.
The next thing I’d suggest, is think of the big picture – not just the department that you’re responsible for, but how GDPR affects the whole company. Doing that will help you spot any inter departmental synergies, where teams can work together to help make the whole organisation GDPR compliant, and sharing the challenge will help alleviate a lot of unnecessary pressure.
Ian Stevenson – GDPR & ISO 27001 Project Manager
For many, the road to compliance will depend on the size, nature and complexity of an organisation and its maturity in terms of Data Protection and Information Security. However, all companies should have a plan that would get them to where they need to be by 25th May. This plan will usually encompass three broad phases: Discovery and Gap Analysis, Risk Analysis, Management and Mitigation planning and Implementation.
I would hope that most organisations are in the Implementation phase by now; if not, a risk-based methodology can ensure that high-risk aspects are ready in time and others have a scheduled implementation date that may fall outside the window. For those companies that are still at the early stages, they should prioritise mapping and auditing the personal data held within the organisation. Importantly, they also need to consider their third party processors, and seek assurances from all of them that they have a plan in place for GDPR compliance. Finally, they should review their policies and processes on consent and data subject rights.
Once May has passed, I would advise businesses not to just breathe a sigh of relief and drop the ball on their activities in their GDPR Compliance Plan. They should be thinking in terms of ongoing sustainability and continual improvement. The volume of change in business today means that you always need to factor in GDPR compliance and Information Security into your change processes, or your compliance status will inevitably fall behind.
For those who want to learn more the Information Commissioner’s Office website has some great resources. It has tailored advice for different types of organisations, including charities, educational establishments and small businesses. It provides a readiness self-assessment checklist and there’s a very helpful section entitled “12 steps to take now” which may be invaluable ahead of May’s deadline.
Darren Bird – Head of Technology, Xeretec
Given all the concern and talk about GDPR, this may come as a surprise - preparing your print and document workflow for GDPR needn’t be that onerous. In many cases, you may already have the tools needed. For instance, if you have an intelligent print management and secure print solution in place – like Equitrac, SafeCom or PaperCut – combined with good security best practice, then you’ve got the key building blocks in place already.
That’s because those solutions help address some of GDPR’s fundamental requirements; the ability to show an audit trail relating to print, copy and scan, while a secure print solution will prevent documents from being copied, printed or scanned and left on devices, where they could be picked up by someone not authorised to view them. Those tools can even help redact sensitive or confidential information to prevent it from being shared accidentally. Rules can also be set up that alerts Chief Information Officers or senior management in real-time to someone attempting to print, copy or scan confidential information or data, thereby halting a potential data breach at source.
As most companies review their security policies and practices regularly, GDPR could be seen as another good opportunity to check that your document and print strategies are as secure as they can be, and to optimise them where necessary if they’re not. Providing peace of mind probably sums up our print and document workflow GDPR proposition. We can work with you to plan for it, and show that if you act now, there’s no need to panic about it.