Left side advert image
Right side advert image
Super banner advert image
Subscribe to Print Monthly's RSS feed

Enter your email address here to sign up for our weekly newsletter

Industry

GDPR: five implications for the print industry

The mention of the acronym ‘GDPR’ will breathe a cold chill into marketing departments across the UK, but its impact on the UK print industry has been hard to nail down.

Article picture

Andrew Morrison, managing director for Xerox UK and Ireland, says the regulation will impact companies that collect, process, store, or use personal data of EU individuals

Printers need to get prepared or face fines of up to €20m (£17.7m), or four percent of annual turnover if they do not comply with the rules of the EU General Data Protection Regulation.

Andrew Morrison, managing director for Xerox UK and Ireland, writes: The EU General Data Protection Regulation (GDPR) comes into effect in May 2018, by which time any organisation handling personal data of EU individuals must comply or they could face fines of up to €20m, or four percent of annual global turnover.
 
The regulation has implications for any company that collects, processes, stores, or uses personal data of EU individuals, including organisations in the public sector, and in the healthcare and marketing industries and the companies that serve them.
 

The regulation has implications for any company that collects, processes, stores, or uses personal data of EU individuals, including organisations in the public sector, and in the healthcare and marketing industries and the companies that serve them

It is also set to affect transactional and direct-mail print companies, graphic communications and print businesses, whose activity includes processing of EU personal data. Despite the inevitable effect of this regulation on these businesses, recent IDC research finds that 51 percent of print and imaging decision makers do not believe that GDPR relates to print.
 
So what does the new regulation mean for the print industry? There are many implications, but here are five important starting points:
 
  • Understanding and set up

The first step for any company in the print industry is to understand whether they are classified as a data controller or data processor. Both have obligations under the new regulation. A ‘data controller’ determines the purposes and the means for which any personal data is to be processed (e.g. a bank) and a ‘data processor’ processes that personal data on behalf of the controller (e.g. a print company may be a data processor when printing bank statements on behalf of the bank).
 
Organisations - regardless of classification - may need to appoint a data protection officer (DPO) or, if not strictly required, many organisations may still decide to appoint one. Working alongside other departments, DPO tasks include monitoring compliance with GDPR, advising and informing the organisation and its employees about their obligations, and acting as the point of contact for supervisory authorities and individuals whose data is processed.
 
  • Records of processing activities
Under the new regulation, both data controllers and data processors are required to maintain records of data processing activities and make those records available to supervisory authorities if requested. 
 

Under the new regulation, both data controllers and data processors are required to maintain records of data processing activities and make those records available to supervisory authorities if requested

How should data processors keep track of the flow of data? One way could be to conduct data mapping exercises that provide a comprehensive view of the data being collected, processed and held, and that trace the flow of data among business units and sub-processors or third parties. These mapping exercises would also need to be repeated as changes may occur in the way data is collected, or systems, processes or procedures may be changed during the lifecycle of the data.
 
  • Individuals’ rights
Close oversight and tracking of personal data is essential to comply with GDPR’s strengthened rights for individuals, which may include the right to be informed, the right to data portability and the right to erasure (also known as ‘the right to be forgotten’).
 
Where an individual wishes to have their personal data erased or, if appropriate, the processing of the data stopped, print companies, as data processors, may be required to assist data controllers with access requests. This would require data processors to locate specific personal data for removal or destruction at the behest of a data controller or individual.
 
  • Security and privacy by design
The new GDPR reporting window for data breach notifications, which allows data controllers 72 hours to report data breaches to the supervisory authorities, has gained significant attention. The GDPR also requires data processors to notify data controllers without undue delay after becoming aware of a personal data breach.
 
To avoid the fines and harm to reputation that a data breach can cause, the print industry is going to be expected to maintain a higher standard of security than ever before. Print companies should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Securing personal data, such as via encryption (as appropriate), is imperative; when data is no longer required, it should be appropriately erased

With the advent of The Internet of Things (IoT) and more wireless devices with access to networks, new cyber-security threats have emerged that have an impact on printer technology. Modern printers and smart devices call for a multi-layered approach to security that spans intrusion prevention, device detection, document and data detection and external partnerships with security specialists. Securing personal data, such as via encryption (as appropriate), is imperative; when data is no longer required, it should be appropriately erased.
 
In addition, product features such as access control (ensuring only authorised users have access to print devices) and secure print (only releasing print documents when the user enters their unique PIN number) help to address security concerns.
 
As the task of vetting security becomes increasingly onerous, it is likely that security service level agreements (SLAs) – including commitment to data encryption and two-factor authentication – will appear in contracts more frequently.
 
  • Network consolidation
Many transactional print projects use multiple partners for complicated direct mail campaigns (one agent for inserts, one for letters, one for collation etc.) which decreases control over the content and increases the risk of exposure.
 
The requirements of the GDPR could result in an increase in business for larger OEMs as customers seek the safety of a one-stop shop that manages sub-processors across all geographic locations and provides infrastructure, security and automated reporting within a controlled environment.
 
With less than a year to go until GDPR becomes effective, it’s time for organisations to prepare for the significant changes it will bring to the print industry. It’s time for print organisations, amongst others, to assess their data processing activity, seek out expert advice, and develop a systematic approach.
 
Disclaimer: The content of this article is provided for general informational purposes only and is not intended to be used as a substitute for specific legal advice or opinions. Xerox disclaims liability for any actions or inactions taken based on the content of this article.




Print printer-friendly version Printable version Send to a friend Contact us

No comments found!  

Sign in:

Email 

or create your very own Print Monthly account  to join in with the conversation.


Top Right advert image
Top Right advert image

Poll Vote

What will be your next business investment?

Top Right advert image