The new GDPR (General Data Protection Regulation) is nearly official. Although the regulation has been in place since 2016, from May 2018, it will become enforceable.
As an organisation, you’re probably someway through conducting an information audit, seeking to:
– Build a thorough picture of your ‘data landscape’ – i.e. documenting where your data is currently held and who you share it with,
– And what the lawful basis is for processing it. Do you need to regain the individual’s consent?
If you currently share your staff’s personal data with an ID Card Bureau and they print cards on your behalf, how does the regulation affect you?
The Data Landscape
If you outsource your ID card printing, you (as the Data Controller) are sharing personally identifiable information of your staff with an external third party (known as the Data Processor) which needs to be protected under the data protection principles of the GDPR.
It isn’t enough to just generate a list of your third-party suppliers or partners – organisations that process your personal data on your behalf – you also need to assess their procedures. Is the data being processed in a manner that ensures its security? Are they meeting their GDPR responsibilities as a Data Processor?
Lawful basis for processing & consent
You need to demonstrate that there is a lawful basis for processing data. In the case of ID cards this is simpler than most: you need your staff to wear their ID cards to access the building and complete their job responsibilities.
In this case, the processing of the data is necessary in relation to a ‘contract the individual has entered into’ – namely employment.
What are the risks of continuing to use an external card printing company?
Remember that your staff have the right to know where their data is stored, and you have an obligation to implement technical and organisational measures to show that you have built data protection into all your data processing activities.
First things first – you need to ensure that any third party processing your data has their own GDPR ‘ducks in a row’. Are they fully compliant?
Naturally there are risks when you aren’t controlling the data yourself. And the more third-party processors you use, the more that risk increases.
Don’t forget, under GDPR, if there is a data breach by one of your Data Processors, you are both liable (you as the Data Controller, the third party as the Processor) – even if there is nothing you could have done to prevent that breach. You are also reliant on the Processor informing you that a breach has occurred.
Failure to report a breach when it happens could result in a fine, as well as a fine for the actual breach itself.
Printing your own cards minimises your data risk
Bringing your ID card or membership card issuance inhouse allows you to manage the data risk, rather than relying on a third-party processor to process and store your data correctly and securely.
Investing in a Plastic Card Printer puts you in control of your own data:
- You keep your personally identifiable information within your own controlled environment.
- You manage when cards are printed, by whom and how the data is handled.
- You manage the right for rectification and the right to be forgotten or restrict processing
- You follow your own due process rather than relying on someone else to follow theirs.
- Choose a plastic card printer with the necessary locks and security features, and you’ll ensure that no unauthorised personnel can access it.
If you choose to print your cards yourself, don’t forget about the data you leave behind
A lot of people don’t realise that the card printer ribbon retains the imprint of the personal information after the card has been printed.
Which means anyone picking up the used ribbon after its been discarded would be able to retrieve all the information of your card holders.
Make sure you build the shredding of your printer ribbon into your due process or you could buy a card printer that automatically ‘scrambles’ the ribbon for you. Read more here
Do a thorough data mapping
Whether you choose to carry on using an external supplier for your ID cards or you take them inhouse, make sure you consider all angles of the process. Where are the risks likely to lie?
Is the data transmitted securely, and kept on a password protected database for example? Is a data breach possible through not disposing of a card ribbon safely, or by sending cards through non-secured mail?
Considering the reasons you might fail to meet GDPR compliance is the best way to create a plan to ensure you don’t.