GDPR Data security challenges for print and scan environments

Respond to the General Data Protection Regulation

The General Data Protection Regulation (GDPR) strengthens and unifies data protection for individuals living within the European Union (EU) and sets down guidelines regarding the processing of personal data globally. uniFLOW is built on the principle of avoiding the risk of data leaks. When a user is registered minimal information is requested to avoid storing superfluous personal data. uniFLOW also implements powerful technology to guarantee any data transferred and processed within the print and scan environment remains secure. GDPR also addresses accountability and individuals’ rights. uniFLOW offers a thorough concept to help organizations to comply with these challenges.

Data protection by design and by default

Data protection needs to be integrated into business processes by default to ensure personal data cannot be accessed by unauthorized parties (GDPR Article 25). A range of security features are activated by default once uniFLOW is installed. To prevent unauthorized access print devices can be locked via access control lists and scan options can produce encrypted PDFs with optional password-protection. Mobile security is enhanced by providing external job submission pathways which removes the need to add unknown or unauthorized mobile devices to a network.

The secure printing functionality allows users to send confidential documents to network printers from desktops or mobile devices. The print job will only be printed once a user has authenticated themself while physically standing at the device i.e. print jobs are no longer waiting on output trays so they cannot be picked up by a third party. uniFLOW can recognize when a device error has occurred and, if the user is logged out, will automatically delete any remaining print jobs.

The penalty for non-compliance with GDPR can be up to 4% of an organization’s total annual, global turnover or € 20 Million, whichever is the greater.
GDPR Article 83(6)

GDPR also affects UK businesses. The regulation will come into force on 25th May 2018, before the UK leaves the EU, and the UK Government has confirmed the regulation will remain in force afterwards.
The queen’s speech and associated background briefing, 2017.

Security of processing – reduce risks

In order to guarantee security when processing personal data, GDPR requires the implementation of technical and organizational measures appropriate to the risk involved (GDPR Article 32). uniFLOW secures end-to-end connection between devices by encrypting print jobs in transit using AES‐256 bit encryption. uniFLOW also offers various options to guarantee continuous availability of a print and scan infrastructure; a three pillar model consisting of an automatic Canon MEAP device failover, redundant spool file storage and intelligent print job distribution create a comprehensive solution. Server backups mean personal data can be retrieved in a timely manner as required under GDPR.

Detection and reporting – limit the damage

As soon as an administrator becomes aware of a data breach, GDPR stipulates it must be reported, together with information about its cause and likely consequences, to the supervising authority within 72 hours (GDPR Article 33) i.e. investigations into data breaches will be mandatory. Integration between uniFLOW and Canon’s iW SAM Express means text and image data, plus log in information, can all be captured to facilitate comprehensive auditing and flagging of confidential information for review. All data and images can be exported to a Data Loss Prevention System. iW SAM can also accelerate detection of data breaches by notifying a designated administrator automatically e.g. after a specific keyword was printed. With all these measures in place, an administrator can quickly track and report which documents have been printed, copied or faxed and by whom.

Data breaches need to be reported within 72 hours to the national regulator.
GDPR Article 33

“Just 25% (of businesses) are fully confident their print environment is protected from security threats.”
L. Fernandes, C. Longbottom, Quocirca Ltd. Managed Print Services Landscape, 2017

“Within the first month of implementation, we saved 390,000 pages, which is 790 reams of paper or the equivalent of saving 20 trees just by implementing uniFLOW print management software.”

Fulfilling a data subject’s right to access

The right of access means an administrator is obliged to provide information to the data subject whether personal data about the person requesting it is stored or not. If data is stored a copy of the personal data must be provided upon request (GDPR Article 15). An administrator can run off a report via a command line for any user data stored in uniFLOW. All user data from the database is compiled together in a XML file and can be provided to the user.

Fulfilling a data subject’s right to be forgotten

GDPR grants the right to request personal data be erased, often referred to as the “Right to Erasure”, which must be complied with straight away (GDPR Article 17). If personal data is no longer needed, and the data subject requests it is deleted from the system, an administrator must be able to erase the data from the print environment. uniFLOW now includes a command line with which personal data can be deleted from the database. The user’s print job history will however remain in the database as this information is required to verify an organization’s overall print volume and the related costs. The script also runs a check on the user data to prove to the user that the ‘Right to be Forgotten’ has been conducted properly.