Image by: Epitavi, ©2018 Getty Images

The European Union's General Data Protection Regulation (GDPR) is finally here, as its enforcement deadline went into effect late last week. The GDPR has proven to be a very complex piece of legislation with ramifications reaching into some unexpected, far-reaching areas of the enterprise. While certain aspects of the law are clear, such as the “right to be forgotten” and consent requirements, other areas remain somewhat murky for compliance specialists, including the security of paper and paper-based customer information.

We can expect nuanced interpretations of the law in the early days, and it may take some time and examples to gauge how various infractions, like paper-based data breaches, are treated and penalized. However, there’s no doubt that certain GDPR provisions are demanding better paper management immediately.

For example, the “right to be forgotten” mandate (also known as “right to erasure”) allows customers to request all instances of their personal data within a company’s systems to be deleted—at any time. How can organizations find and delete this information if it resides on paper? Therefore, the GDPR makes a prime case for the digitization of paper. Automation is now enabling organizations to convert their paper documents into a digital format and classify them among digital folders and subfolders. These documents also become fully searchable, making it easier to comply with “right to be forgotten” requests. Beyond compliance, greater digitization of paper can drive additional benefits within an enterprise, including a higher level of information security and greater workflow efficiencies.

Additionally, the “right to consent” clause in the GDPR also requires organizations to directly secure a customer’s consent to use his/her personal data for any business purpose beyond the reason it was originally derived (e.g., using a customer’s personally identifiable information for initiatives like data analytics). Many in the big data space have openly pondered the legality of running data analytics under the GDPR.

It’s possible for data analysis and GDPR to peacefully coexist—though certain new steps need to be implemented. For many organizations, a vast amount of customer data continues to reside on paper. If paper documents are destroyed due to retention policies, organizations may miss the opportunity to leverage that data in their analytics initiatives. Like the “right to be forgotten,” the first step to ensuring compliance for the “right to consent” is to digitize documents and leverage redaction and encryption tools in order to meet the GDPR requirement “to make it reasonably difficult to identify individuals.”

For example, an organization using data analytics to determine its fastest-growing business regions in the US might look at addresses and corresponding sales data to find trends. By using encryption or redaction of names and other pieces of identifiable information, individual customer information is disassociated with addresses and other details, establishing reasonable difficulty and negating the need to secure consent.

Security Breaches

The GDPR naturally places a premium on excellent cybersecurity defenses to protect data, but often, this attention is focused on the network perimeter, overlooking the most seemingly innocent of security risks, like the office printer. Today’s multi-function printers (MFPs) provide a range of capabilities, from copying, to printing, to scanning and emailing, to faxing. MFPs can create a data security risk in several ways and can lead to organizations being fined.

While insider threats are often associated with malicious or disgruntled employees, careless workers are commonly the inadvertent source of data breaches and leaks. The motivation of the employee ultimately does not matter much, because data leaks, such as intercepting documents off the printer tray or sending electronic files to unauthorized recipients, are far more common than stereotypical hackers.

The Ponemon Institute recently found that the volume of insider threats (including both malicious and innocent workers combined) far exceeds other types of computer security threats. Organizations must proactively protect both their people and their businesses through greater controls and auditing capabilities. For example, parameters can be set to authenticate identification at MFPs prior to printing, while auditing capabilities can help organizations keep track of who scanned what documents and where they were sent.

The GDPR Raises the Stakes for Controlling Documents

Paper remains a slippery slope, and unlike electronic data, paper-based information tends to be more elusive when it comes to building in procedural security safeguards. However, GDPR’s broadest and clearest mandates like the “right to be forgotten” and the “right to consent” are requiring organizations to shore up security for their paper-based data in no uncertain terms.

While the guidelines for paper management in a GDPR world are sure to evolve, consider the following initial checklist:
  • Digitize, digitize, digitize: This is critical to better information security and compliance, as well as better operational performance.
  • Employ redaction, encryption, and other tools for obscuring digital data when necessary.
  • Secure the MFP to protect against insider threats and insulate sensitive data as it passes from paper to digital format and vice versa.
  • Log the handling of documents so you have an audit trail. Providing who, what, and where a breach occurred within 72 hours is a critical part of GDPR compliance.
Tracey Mustacchio is the Senior Vice President of Product and Marketing at Nuance Document Imaging. Prior to Nuance, her 20-plus-year career focused on leading Product and Marketing teams at large enterprises, like McAfee and IBM, as well as several startups. For more information, visit or follow her on Twitter @tmustacchio.