Friday, 5 May 2017

Preparing for GDPR: Securing your Recruitment Agency’s Data Part 1

In my previous blog, Cyber Security for Recruitment Agencies…. 8 Top Tips to Keep Your Agency Safe, I gave some pointers to help recruitment agencies safeguard their confidential client and candidate information.

Since then, many of you have been in touch asking for more information on this topic, especially in light of the imminent enforcement of GDPR. Therefore today I thought it would be useful to share some more information about the specifics of securing your agency’s data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).

Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your recruitment agency’s data, and forms an important part of preparing your agency’s information systems for GDPR compliance.

GDPR places accountability on recruitment agencies to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that the recruitment industry is fundamentally all about dealing with the storage and movement of personal data, this is likely to cover the vast majority of an agency’s data and activities.

Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Nowadays, it is also likely that external organisations and third parties such as outsourced payroll providers or organisations carrying out background checks will have access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to company security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.

If you would like to discuss ways in which Xara Computers can help you secure your agency’s data, and prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on or when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please do not hesitate to contact me on 0208 732 5656 or email