Firms urged to protect hard copy data
While much of the focus on the General Data Protection Regulation (GDPR) has been on organisations securing their IT systems and securing digital files they hold, less attention has been focused on how the GDPR will affect physical files.
The volume of physical files, printouts or hand-written meeting notes that companies still churn out - many of which are left in disordered and unsecured fashion on desktops and around offices - is still immense.
When I talk to Jonathan Armstrong - co-author of one of the definitive works on technology law, "Managing Risk: Technology & Communications" and one of the most influential figures on data security in Europe - he has just concluded a training session for a major organisation on the topic. "We have just finished a training session this morning purely for securing physical records, because like a lot of organisations they still print an awful lot of files," said Armstrong.
"In many ways, an unsecured physical file is a lot more damaging that a digital file. If an encrypted email, USB stick or laptop is lost, then to a certain extent 'big deal' as long as the encryption is up to scratch, but if you lose a printout then it is easy for people with no technical expertise to read, take a photo on their mobile phone and give it to whoever they want," he added.
According to Armstrong, roughly one in every five data breaches that occurs is due to physical files and these are covered by the GDPR in exactly the same way that digital files are, yet many organisations are taking their eyes off the ball in relation to these.
"My sense is that proportionally breaches of hard copies of files are on the rise, but I'm not sure how much of that is due to a rise in awareness of the importance of security for digital files, or because we are getting better at locking systems down," says Armstrong. "For example, a company may ban memory sticks and use data-loss-prevention software to stop employees from sending emails outside the organisation, but may not prevent staff printing a whole load of files that they are working on, and could end up leaving them on the bus or in a cafe."
Armstrong believes this is because the individuals in companies who are responsible for data protection have large blind spots when it comes to how information is used within their organisations.
"Quite often the person who is in charge of IT is also in charge of data protection, and while they may be very in tune with all of the technological ways of securing electronic data securely and prevent information from leaving the organisation by email or portable hard-drive and may have the most state-of-the art encryption on their systems, they may completely forget that there is a printer attached to the system," he said.
As with all aspects of the GDPR, a lack of awareness and mindfulness is the major barrier to implementing the new regulation adequately - and securing physical records may be an even bigger challenge than securing electronic data.
"Businesses really need to focus on hard copies of records more, because it is certainly being overlooked in many cases. In many ways, records like this are harder to secure as you can encrypt files and emails - but you can't prevent employees from writing down what is in their head," Armstrong said.
Jonathan Armstrong, a partner in Cordery, is a speaker at the Dublin DataSec 2017 conference, which takes place on May 3 in the RDS,. The event will provide expert speakers, information and insight to help businesses comply with GDPR and get the most out of the legislation.
Sunday Indo Business