With GDPR fast approaching, we have gathered inputs from Xeretec experts from numerous business functions, to gain an understanding of how GDPR will affect their business areas, and how they are focusing on driving positive change with the help of the regulation.
Our experts cover IT, HR, Solutions, Managed Print Service Operations and Sales. Read their segments below to learn their views on GDPR, how they are approaching it and how they are helping our customers where relevant.
Mark Longley – Pre and Post Sales Analyst, Xeretec
It is not surprising that some companies are battling GDPR fatigue, given that it has been a talking point for so long. At Xeretec, we believe that GDPR needs honesty and simplification. Our approach has been to advise how we, from a print perspective, can help bolster the security of your current print and document workflows to ensure that companies can show that they have taken the steps necessary to reduce the risk of a document-related security breach. Of course, even with the best practice, process and technology, a breach could still occur. When determining a fine though, the Information Commissioners’ Office will not just assess the impact of the breach itself, but what measures a company had put in place to prevent the breach in the first place.
To address this, some companies are attempting to capitalise on GDPR by offering ‘GDPR-solutions’, with many suggesting that rip-and-replace is the way forward. In our view, that won’t be necessary. The tool set that we’re offering sits on top of existing print hardware and software to create a print and document workflow environment that optimises security further, covering print, copying, scanning and email. Among its features, the tool set gives a range of benefits to help companies on their GDPR journey.
While it is still important to talk about GDPR, we feel that it’s even more important to have the right type of conversations that are grounded in reality.
Gemma Phillips – Partner Account Director, Xeretec
With GDPR on the horizon, at Xeretec we’ve taken a proactive approach to helping guide our clients though it with a series of GDPR sessions. They’ve given us a really good insight into the GDPR concerns that larger, enterprise customers have on the subject. The three questions that keep coming up are, ‘how does GDPR relate to print?’, ‘what solutions should we look for to ensure compliance?’ and ‘what do companies need to do to ensure GDPR compliance?’
While we’re helping to address those questions, we’re also observing the growing awareness that GDPR isn’t just a corporate responsibility, but it is also a responsibility for each individual employee. While compliance officers, IT and security managers are aware of what they need to do to ensure the company is GDPR compliant, employees also have to play their part by – for instance – not leaving their PC unlocked when it’s unattended. It is very important that companies communicate this requirement for shared responsibility, so everyone is aware that GDPR is a team effort.
Marino Keith – MPS Operations Manager, Xeretec
Data and analytics are at the heart of the modern, agile enterprise, which is a good foundation for a business environment soon to be governed by GDPR. Print management solutions offer a comprehensive array of security functions, which serves an even more important purpose in the context of GDPR compliance. Should a breach occur, print management solutions platforms will be invaluable in helping you to drill down to the information you need, as simply and as quickly as possible. Aside from the convenience and reassurance this provides, you also need to show how your business would respond to pinpointing the cause of a breach. The detail of information offered by analytics will enable you to show the breach occurred at, say, 15:00, the name of the contentious file and all the device and document data needed to detail how the breach happened.
Introducing a print management solution - while tightening up on best practice - will not only do much to help you prevent a breach, but it will arm you with the information you need to identify its cause, should one happen.
Jon McNamara – Head of IT, Xeretec
One piece of advice I would give to businesses, is to start the process of tightening up how information flows into, around and out of your organisation, now. Don’t leave it until a breach has occurred to start thinking about plugging any gaps. If you take that approach, and there is a breach, any investigatory body (such as the Information Commissioner’s Office), will discover you had no measures in place to prevent a breach, or no crisis management plan to reduce the impact of a breach. That negligence could well have a bearing on the size of the fine you receive – and these could be eye-wateringly high, depending on circumstances. It won’t be until the first breach under the GDPR regulation occurs that we’ll get to see how severe a fine will be imposed by any investigatory body in the event of a breach.
Outside of the scaremongering though, GDPR is a fantastic opportunity for any company to optimise their data and security landscape. This should be a consideration for companies at all times, and tightening up on it could well lead to improved efficiencies internally, optimised processes, and - if you’re getting rid of redundant data – a reduction in your data storage costs, too. Don’t be daunted by GDPR. It allows you to introduce new processes that could make your business more secure, productive and successful, as well as compliant with the GDPR regulations.
Andy Quy – Solutions Consultant, Xeretec
Although there has been a renewed interest in GDPR since the beginning of the New Year, one concerning misconception that I have become aware of, is that some businesses believe that GDPR doesn’t apply to print and document workflows. That’s a concern as they’re overlooking the requirement to ensure that their print – from devices to documents - is secure, too. It’s clear that there remains a lack of awareness on this matter, especially among SMEs. From what I have seen, larger organisations have been quicker to both recognise and respond to the GDPR challenge from a print and document management perspective.
Of those SMEs that are aware of their GDPR obligations, many are concerned that it will be arduous to manage and adhere to. From a print perspective, that really needn’t be the case. Once set up correctly, print devices and document workflows will need little investment by way of resource or finance in the long run to ensure that they are compliant.
Irrespective of their level of understanding, it really is important for businesses of all sizes to secure their print devices and document workflows. While some businesses have taken the right steps to protect the printers themselves, they haven’t really considered file management nor the flow of information in and around the business. They need to secure the workflow process end-to-end, and not just the device. One thing in particular that appears to be misunderstood is that end point security is sufficient for compliance. Unfortunately, this isn't the case.
Claire Robinson-Learoyd – Head of HR, Xeretec
From the early conversations I’ve had with colleagues and peers, I think there is a lack of awareness about the impact that GDPR will have on businesses. My impression is that the measures needed to be GDPR compliant are still underestimated.
However, I’m confident that if companies start to manage the process now, they still have time to get on board. I think a key starting point here is to re-educate people on data; namely, on what they can do and what they cannot do with it. It is really important for a company’s senior management to drive the cultural change needed that will ensure that this renewed appreciation for the sensitivity of data is maintained.
Of course, none of this is impossible and I think that there are three steps that most organisations can take now ahead of the May deadline. The first is… act now! If you have not started already, look at what data you have, where you use it, why you use it, who has access to it and build up a comprehensive picture of what data you hold. Then look at how it is secured and what improvements need to be made to improve security further.
The next thing I’d suggest, is think of the big picture – not just the department that you’re responsible for, but how GDPR affects the whole company. Doing that will help you spot any inter departmental synergies, where teams can work together to help make the whole organisation GDPR compliant, and sharing the challenge will help alleviate a lot of unnecessary pressure.
Ian Stevenson – GDPR & ISO 27001 Project Manager
For many, the road to compliance will depend on the size, nature and complexity of an organisation and its maturity in terms of Data Protection and Information Security. However, all companies should have a plan that would get them to where they need to be by 25th May. This plan will usually encompass three broad phases: Discovery and Gap Analysis, Risk Analysis, Management and Mitigation planning and Implementation.
I would hope that most organisations are in the Implementation phase by now; if not, a risk-based methodology can ensure that high-risk aspects are ready in time and others have a scheduled implementation date that may fall outside the window. For those companies that are still at the early stages, they should prioritise mapping and auditing the personal data held within the organisation. Importantly, they also need to consider their third party processors, and seek assurances from all of them that they have a plan in place for GDPR compliance. Finally, they should review their policies and processes on consent and data subject rights.
Once May has passed, I would advise businesses not to just breathe a sigh of relief and drop the ball on their activities in their GDPR Compliance Plan. They should be thinking in terms of ongoing sustainability and continual improvement. The volume of change in business today means that you always need to factor in GDPR compliance and Information Security into your change processes, or your compliance status will inevitably fall behind.
For those who want to learn more the Information Commissioner’s Office website has some great resources. It has tailored advice for different types of organisations, including charities, educational establishments and small businesses. It provides a readiness self-assessment checklist and there’s a very helpful section entitled “12 steps to take now” which may be invaluable ahead of May’s deadline.
Darren Bird – Head of Technology, Xeretec
Given all the concern and talk about GDPR, this may come as a surprise - preparing your print and document workflow for GDPR needn’t be that onerous. In many cases, you may already have the tools needed. For instance, if you have an intelligent print management and secure print solution in place – like Equitrac, SafeCom or PaperCut – combined with good security best practice, then you’ve got the key building blocks in place already.
That’s because those solutions help address some of GDPR’s fundamental requirements; the ability to show an audit trail relating to print, copy and scan, while a secure print solution will prevent documents from being copied, printed or scanned and left on devices, where they could be picked up by someone not authorised to view them. Those tools can even help redact sensitive or confidential information to prevent it from being shared accidentally. Rules can also be set up that alerts Chief Information Officers or senior management in real-time to someone attempting to print, copy or scan confidential information or data, thereby halting a potential data breach at source.
As most companies review their security policies and practices regularly, GDPR could be seen as another good opportunity to check that your document and print strategies are as secure as they can be, and to optimise them where necessary if they’re not. Providing peace of mind probably sums up our print and document workflow GDPR proposition. We can work with you to plan for it, and show that if you act now, there’s no need to panic about it.