Check your printers for leftover GDPR-regulated PII

Many companies are embracing the GDPR as an opportunity to improve privacy, security, and data management, by cutting down on the amount of personal data they keep, ditching data that is no longer needed, and reducing the number of people who have access to it.

“Becoming more proactive with data protection regulations means having a clear and detailed map as to where all PII resides within an organization’s purview,” says Hiro Imamura, Senior Vice President and General Manager, Business Imaging Solutions Group, Canon U.S.A.

“The ‘right to be forgotten’ is a cornerstone of the GDPR, and while it may initially be cumbersome to map an organization’s information data-flow, it can also be viewed as a catalyst for improved efficiencies and security remediation. Mapping workflows will help lend itself to a clear outlook of inefficiencies and liabilities that otherwise may have gone unnoticed until a crisis, like a data breach, occurs.”

Don’t forget the printers!

GDPR-regulated data may be lurking in unexpected pockets of an organization.

Among the less obvious and often overlooked places where PII can be found is the fleet of multi-function printers scattered across the enterprise.

“In theory, all kinds of information are stored in print management systems from SPII / PII to sensitive business information. The way that these risks are mitigated is very simple. Article 30 of the GDPR, for instance, outlines the need of organizations to create an inventory of data. In the case of print, this entails the encryption of printer hard drives, encryption of print streams, job log obfuscation, and the deployment of secure data erase to remove traces of the sensitive data once printed,” Imamura explains.

“The multi-function printer is the backbone of most enterprises. Large organizations should be aware of the vast amounts of personal data that are naturally present in such print systems and work to incorporate hardware and software into their office infrastructure that is equipped with user authentication, user tracking, automation, and additional built-in security features to help protect an office’s confidential information.”

Where to start?

Paper left on the printer due to a lack of a print management solution or the unencrypted hard drive on a decommissioned printer can lead to compromised data more often than hacks.

Imamura advises organizations to first conduct a “brutally honest” self-evaluation of the organization and to insist that any partners, who directly or indirectly may be impacting the organization’s data handling processes, be equally honest, transparent, and cooperative.

Then they should speak directly to their printer vendor and find out more about their print management solutions and how they can help businesses to mitigate security risks.

“Organizations can become proactive in their approach to secure personal information on all devices by following Canon’s security hardening guide and focusing on the basics,” he adds.

“We alone cannot make any one company compliant, but our software can help mitigate some of the risks. Preset security settings and tools within our solutions will help to make it easier for organizations to manage new security policies under the GDPR.”