Wednesday, 28 June 2017

Preparing your Recruitment Agency for GDPR: Protecting your Data from Insider Threats

Over recent blogs, for obvious reasons, I've been talking a lot about cyber security. But today I wanted to go back to the topic of preparing for GDPR, as I know it is an issue that is concerning many of you at the moment.

In preparing your recruitment agency for GDPR it is important to realise that as well as securing your personal data from external cyber threats, you also need to be securing it from insider threats. So what do I mean by insider security threats?

Well this can be something like a rogue employee, or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error, or our natural tendency as human beings to take the easy option, is actually one of the commonest causes of such an incident, so it is good practice to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such control. I'm sure for ease of memorability, we would all naturally tend towards an obvious password, but these are very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes, certainly doesn't demonstrate due care of confidential data under GDPR!

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to only give staff the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate.

Staff education is also vital in ensuring that your systems are not compromised by security threats like malware or ransomware, which are often transmitted via rogue emails. I know many of you have seen and downloaded my white paper "Best Practice for Staying Safe Online", a copy of which can be found here if you missed it first time round.

The mobile working revolution has also opened up a plethora of new challenges, and preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and data often being held on laptops to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the EEA.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff , so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

If you would like to discuss ways in which Xara Computers can help you secure your agency’s data, and prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on or when we will be happy to help.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website

No comments:

Post a Comment