Remote monitoring of printers in the Cloud and compliance with GDPR

The European Regulation 679/2016 (GDPR) sets new standards for the management of personal data to anyone who is in a position to manage them – including companies that use remote printer monitoring systems. Below is a self-assessment of whether your company complies with the regulations or not.

Remote monitoring in the Cloud, for companies involved in the printer business, is now an essential component of the IT infrastructure. Dealers, suppliers and print service management providers around the world use Cloud-based SaaS (Software as a Service) applications to collect and store data, counters, toner levels plus the additional information needed for remote monitoring, to manage cost-page contracts and automate the delivery of consumables to end users.

As a result of the sudden changes in the market and today’s highly competitive scenarios, the advantages of using SaaS Cloud monitoring platforms are tangible: constantly updated software, centralized support procedures, no infrastructure costs, and very short go-live times, are just some of the many features that make these solutions extremely advantageous and powerful.

However, as always, great power also comes with great responsibility.

It is well known that any company with customers located in Europe must comply with the directives of the General Data Protection Regulation 2016/679 (GDPR) for all personal data processing activities of European citizens. Printer Dealers and Managed Print Service Providers (MPS) are no exception, as the GDPR also applies to the management of personal data within SaaS remote monitoring systems.

Article 4.1 of the GDPR clearly states that “personal data shall mean any information relating to an identified or identifiable natural person”, specifically: names, physical addresses, online identifiers such as an e-mail address related to a physical identity.

Consider the role of a printer and multifunction dealer using one of the many SaaS monitoring systems on the market. Can the use of such a system introduce additional risks to GDPR compliance?

The answer to this question depends on several factors:

• Type of data processed: personal or business data;
• Level of data protection implemented by the SaaS provider;
• Existence of an appointment as Data Processor by the company to the SaaS provider, as provided for by art. 28 of the GDPR;
• Level of GDPR compliance ensured by the SaaS provider;
• Physical location of the servers (inside or outside the European area) where the SaaS provider hosts its applications and where the data are managed and stored.

If only technical data is handled in the SaaS system, or only corporate data in relation to legal persons, these are NOT under the protection of the GDPR and are NOT required to be managed in accordance with the GDPR. In this scenario, all the factors listed above are not relevant to the company’s compliance and, most likely, there will be nothing to fear.

If, on the other hand, personal data of European citizens are transferred to a SaaS system, such as personal names, personal email addresses and telephone numbers or any other information relating to an identifiable person, then such data must be processed in accordance with the requirements of the GDPR. In this case, all the points listed above become extremely important and will have to be carefully taken into account when verifying compliance with the law.

How can you self-assess your conditions to ensure that data management activities in SaaS comply with the GDPR?

Below is a short checklist of questions to assess the status of the Cloud SaaS environment used by the company:

1. Are personal names and/or email addresses stored in the SaaS database, for example to send alerts, reports, notifications, email messages, etc. or any other personal data as reported in Art. 4.1 of the GDPR?

• • If No, you most likely won’t have to worry about meeting any of the GDPR’s requests;
  • If Yes, all or some of the following requests must be applied.

2. Has the SaaS provider provided clear and comprehensive information about the level of security and protection it has implemented in the management of personal data?

3. Has an Appointment Deed (Data Processing Agreement) been signed with the SaaS provider? Is this Act drawn up in the form of a legally binding contract in which security, protection procedures and policies, roles and responsibilities and other provisions required by law are clearly expressed and accepted by the SaaS provider?

4. Has the SaaS provider formally appointed a DPO (Data Protection Officer) for your company?

5. Has the SaaS provider provided a certification attesting to the existence of personal data processing procedures that are fully compliant with the requirements of the GDPR?

6. Are SaaS servers located in a country in the EU?

• • If so, there are no other requirements on this point, as the GDPR does not impose any constraints on the transfer of data within the EU;
  • If they are not, you must make sure that the transfer of data to the country of storage is allowed. This can be true if the country is considered adequate by the European Commission, which has the power to make decisions on adequacy under the GDPR. In the absence of a decision on adequacy, additional safeguards, such as binding company rules or standard clauses on data protection in contracts, need to be put in place;
  • If the Cloud SaaS system is located in the U.S. (which is the most common case for many SaaS providers of monitoring solutions), the provider must be included in the EU-US Privacy Shield Framework and be listed in the Privacy Shield List, This makes it easy to check for possible compliance or non-conformity;
  • Does the SaaS provider have any privacy and information security certification, such as ISO/IEC 27001 certification?

In the absence of clear answers to these questions, there is a real risk of having problems complying with the GDPR in the personal data processing activities.

In conclusion, it should be borne in mind that in any situation where a Data Controller (the company) transfers personal data of European citizens to a Data Processor (the SaaS provider), the Data Controller is responsible for ensuring and demonstrating that the processing activity is conducted in full compliance with the GDPR.