Is print security the weak link in your post-GDPR strategy?
As we edged our way towards the 25th May 2018, the date the EU’s General Data Protection Regulation (GDPR) came into force, every law firm worked tirelessly to make sure the personal data they held on clients, prospects, professional contacts and colleagues was totally secure. Systems were tightened, processes improved and new protocols adopted so that when GDPR arrived, the firm would be beyond reproach.
However, one area we’ve since discovered has been overlooked by many firms was printing.
Although printers (or other multifunctional devices – or MFPs – like scanners with printing capability) may not be expressly referenced in the regulations, the wording is clear that one of the key principles of GDPR is to:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
While this of course means law firms must do everything necessary to prevent the personal data they hold from being accidentally or deliberately compromised, what may not be as obvious is this also applies to how that data is processed and that includes:
- Sending unencrypted data to a printer
- Storing unencrypted data on print servers or in printer storage
- Accidentally sending documents to the wrong printer
- Allowing material to be picked up by the wrong people
- No alt text provided for this image
This means that if you hadn’t included your print networks within your post-GDPR IT strategy; something as simple as an honest mistake could leave you open not only to intense and unwanted scrutiny but also to the heavy financial penalties being imposed on those not complying with GDPR.
Omitting print from an IT strategy is not limited to the legal industry. According to a recent study 50% of companies in the public sector admitted they weren’t aware of the implications of GDPR and of those, only 73% felt they were ready to meet their obligations with regards to print security. For us it was even more concerning that less than half of the 161 organisations interviewed had put a print security strategy in place.
So, what can you do to make sure print security is not the weak link in your post-GDPR strategy?
The first thing we would suggest is you need to educate all your staff from your most senior partners to your most junior support staff as all will use your printer network.
Many of them will be unaware that unencrypted personal data is transferred and stored on your printer and until they recognise the threat, it will be hard to get them to buy into taking the required action to neutralise that threat. Once they understand what is required, show them how to adapt their personal work practices so they stop sending documents to unsecured locations or leaving print-outs in trays for long periods without adequate protection.
However, looking more long-term – and taking into account print technology will only become more advanced which could well present additional challenges in the future - your firm will need to integrate print security into your IT planning and strategy and to make that a little easier, we’d suggest you start by considering three key points:
Today the use of mobile devices is integral to providing the level of service your clients demand. While you can’t hinder efficiencies, you do need to consider security so it may be worth looking at introducing additional controls like digital certificates, roles based access and placing more stringent filters on your ports and on the IP addresses you’ll accept.
If your printers are ageing it may be time for an upgrade but if an upgrade is impractical (or unaffordable) at the moment, look at adding personal security features to restrict who can use each printer.
If you can, configure your devices so they only allow authenticated users to print documents from them. Traditionally this would probably have been done by issuing swipe cards but now it’s far more efficient to write print release solutions and secure document monitoring protocols into your system.
While we appreciate the thought of revisiting your print network may not be a welcome one – especially given time, effort and expense your firm will already invested to bring you into line with the enormous demands of GDPR – the alternative is less palatable. The potential financial and reputational damages to your firm’s reputation are unthinkable, especially if the root cause of those penalties could easily be avoided.
To find out more about our legal workflow solutions email: firstname.lastname@example.org