GDPR Compliance Risks and Mitigation
Inception continues to review our processes to ensure both compliance and best practice when it comes to personal information.
Inception has identified three key customer facing areas where it either holds or comes into contact with data about or on behalf of a customer, company or individual. These occasions are strictly within GDPR constraints are risk is mitigated by the following:
Data Held on Inception supplied devices at customer sites
Risk
Data held on a product supplied by Inception, including but not limited to address books and latent images on a printer’s memory/storage (hard drives etc).
- Hard drives may contain latent damage of confidential data
- Address books may contain personal email addresses
Mitigation
Inception will ensure that all hardware removed from customer sites will have the hard drive removed and sanitised prior to either redeployment or end-of-life disposal. In the event of a hard drive being removed due to component failure, Inception will ensure that the hard drive is destroyed beyond reasonable data recovery attempts.
Inception will ensure that all hardware removed from customer sites will have the address book and transmission histories formatted to remove any email address or user names.
Scan to Email using Inceptions email server(s)
Risk
Inception provides email server access to devices where a customer does not have their own email facilities to enable scan to email.
- Devices may keep a historic record of email addresses sent to
- Email servers may keep a record of failed email attempts/auto responses
Mitigation
Inception will ensure that where possible customers will use their own email servers. Where Inceptions servers are the preferred customer choice, Inception will ensure suitable password protection of that account together with appropriate security to safeguard any data. Please note that the only data held on Inception’s email server would be the ‘send to’ address in the email logs in the event of the email address failing, or an ‘auto response’ from the intended recipient of the scan to email. Regardless of success or failure, Inception servers never hold a copy of the document scanned. All logs are password protected within Inception and regularly deleted.
Account and Marketing information held by Inception
Risk
Inception holds account information including company name, address, phone number, contact names and other information relevant to the fulfilment of existing, former and potential future agreements between Inception and its customers (including machine type and location, IP Address, key contacts emails etc).
- Employees / malicious 3rdparty may attempt to access/remove data for a non-authorised purpose.
- Employees may use data for a non-authorised purpose.
Mitigation
Inception shall protect by password and suitable security measures, to ensure that only appropriate data is available at the point of need. All data that could be used to identify a specific person shall only be held for the purpose intended. Inception will undertake quarterly training to review the appropriate use and management of individuals data.
The UK Governments Information Commissioners Office has issued the following advice in their Clear Desk and Screen Policy.
CLEAR DESK AND SCREEN POLICY
Findings: Not all organisations contacted operate a clear desk and screen policy with paper records often left on desks or printers. Some files were left in insecure cabinets or open shelving. The use of “Ctrl-alt-delete” to lock workstation screens was inconsistent. The survey also revealed that while 67% of employees did adhere to the clear desk and screen policy, only half confirmed that spot checks are carried out to monitor compliance.
Recommendations: Organisations should develop a formal clear desk and screen policy and communicate it to all staff and any relevant volunteers, including home workers.
Printers should be checked to make sure information is not left unattended during the day or overnight.
The full report can be seen at: