The eFax Blog

Faxing and GDPR Compliance | eFax Corporate

– by eFax Corporate Team

Taking the First Steps

Is your IT department ready to meet the compliance demands of the new EU General Data Protection Regulation (GDPR)?

As of 25 May 2018 the GDPR came into effect and this new regulation means that many organisations will be forced to change the way they collect, store, process, and protect the personally identifiable information (PII) of EU residents.

This includes, of course, PII transmitted by fax.

Learn more about online faxing or talk to us about your needs

EU-GDPR

What’s At Stake

If your organisation is still using analog fax machines to share PII, there is a great deal at stake.

The new regulation is meant to ensure the ongoing confidentiality, integrity, availability, and resilience of the systems that process and serve personal data.

Companies sending and receiving paper faxes are at risk of not being able to demonstrate adequate security measures and audit trails since paper faxes are not logged with time-stamped delivery receipts, and are less capable of being readily located in a search.

But analog faxing represents only one vulnerability. Wherever gaps in security exist there is the risk of noncompliance and the threat of crippling consequence: Noncompliant organisations will face fines up to €20 million or 4% of annual global turnover, whichever is greater – not to mention the incalculable damage to brand image and customer relations.

GDPR: The Regs Get Tighter

By requiring companies to adopt new data-protection processes and controls to better protect the privacy rights of EU citizens, GDPR extends its regulatory reach well beyond the current EU Data Protection Directive to include:

  1. Increased Territorial Scope The GDPR can apply to companies established outside the EU, for example, if they are processing personal data of EU residents when offering them goods or services.
  2. Privacy by Design and Default The GDPR IT infrastructure is required to include specific technical safeguards for the protection of European PII.
  3. Breach Notification Data controllers are required to alert affected data subjects within 72 hours of a data breach.
  4. Consent Companies that are relying on consent as the basis of processing personal data will need to ensure such consent meets the higher standards required under the GDPR.
  5. Data Protection Officers Certain Companies will be required to designate a Data Protection Officer (DPO) to supervise compliance with the GDPR.
  6. Data Subject Access Rights The GDPR enhances the rights of data subjects in relation to the processing of their personal information, including the right to be forgotten. Companies must respond to requests from data subjects exercising these rights within one month.
  7. Data Protection Impact Assessments Companies must conduct data-protection impact assessments to assess the risks associated with its processing activities and what steps in can take to mitigate such risk.

Implementing Appropriate Measures

The new regulation is meant to update data protection standards to fit today’s technology while remaining general enough to protect the fundamental rights of individuals throughout future waves of innovation.
As a result, GDPR doesn’t offer a step-by-step process for achieving compliance with any of the law’s data-privacy principles.
Companies therefore need to review the personal data they process and the associated risks with their processing activities and implement appropriate technical and organizational measures taking account of state of the art.
Integrate Fax into Your ERP Systems

What You Can Do

The best way to prepare for GDPR compliance is for your organisation to implement a solid data-protection strategy that guards against data loss of any kind, whether through malicious or accidental means.
In practical terms, this means two things:
  1. Bringing your company into alignment with Payment Card Industry Data Security Standards (PCI-DSS).
  2. Migrating your legacy fax infrastructure to a fully hosted cloud fax solution.

PCI-DSS

If your goal is GDPR compliance but you’re unsure where to start, a good first step is to bring your company into alignment with the Payment Card Industry Data Security Standards, or PCI-DSS.

PCI-DSS is the most widely accepted information-security standard for businesses that handle credit cards and have to protect against card fraud while also keeping a cardholder’s personal data secure.

A Cloud Fax Solution

Another step you can take immediately to advance you toward both PCI and GDPR compliance, and which won’t require any hardware purchase or extensive employee training, is to migrate your legacy fax infrastructure to a fully hosted cloud solution.

In-house fax servers (as well as stand-alone fax machines) pose inherent risks to data security and privacy by generating paper copies of customer PII, maintaining unencrypted records of PII on fax hard drives, and failing to maintain a complete audit trail or tight chain of custody around fax transmissions.

How the Right Cloud Fax Platform Can Help

A review of three key GDPR guidelines demonstrates how the right cloud fax solution can directly improve your compliance standing:
  1. GDPR Article 25: Data Protection by Design and by Default Privacy by design calls for the inclusion of data protection from the onset of the designing of systems.
    The right cloud fax platform is already designed to meet such data-protection requirements, ensuring that your faxes will be sent, received, and stored according to technical and organisational best practices for security, accessibility, and compliance.
  2. GPDR Articles 12-20: Rights of Data SubjectsThe expanded rights of data subjects include the right to obtain from the data controller information as to whether personal data concerning them is being processed, where, and for what purpose, and to request their personal data to be deleted.
    The right cloud fax platform will render the text of all documents fully searchable for speedy retrieval, plus generate full audit trails of faxes, including metadata, which can be used to show that appropriate measures have been taken.
  3. GDPR Article 32: Security of ProcessingThis article requires organisations to implement appropriate security measures to protect personal data, and specifically references ‘encryption’ as a particular measure.
    The right cloud fax platformwill protect faxes in transit with TLS 1.2 encryption, and at rest with 256-bit AES, adhering to security best practices and compliance standards.

Conclusion

Born of the desire ‘to protect personal data and the fundamental right of human privacy,’ GDPR represents a new era of privacy regulation for businesses handling EU resident data.

Enterprises confronting GDPR compliance challenges would do well to immediately adopt the privacy standard represented by PCC-DSS.

Those using fax communications to share PII should further consider moving their legacy fax infrastructure to a proven cloud platform that will precisely time-stamp, centrally store, and automatically index inbound and outbound faxes to let organisations more readily demonstrate GDPR compliance.

For more information, to get a quote or set up a trial, please get in touch.