Wednesday, 23 August 2017

GDPR in Recruitment – 7 Top Tips for Compliance (Part 2)



In my previous blog, I shared the first 3 of my 7 top tips for GDPR compliance for recruitment agencies.

With Digital Minister, Matt Hancock, having now formally announced the new Data Protection Bill, which will enshrine the GDPR into UK law, as well as preparing the UK, from a data protection perspective, for life after Brexit, I thought today it would be useful to share a further 4 tips on preparing your recruitment agency for GDPR:-

1. Put together a new or updated data protection policy and train employees on it.

This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant. It only takes one employee to not fully understand their obligations to allow something like a data breach to occur, which has the potential to result in crippling fines and reputational damage to the agency under GDPR. One area where I often get asked for advice is around BYOD policies (Bring Your Own Device), where there is the potential for employees to be storing copies of the agency’s data or emails on their own laptops or smart phones. Such devices may not adhere to the agency’s security policies and as such policies around protecting data in this instance need especially careful handling. Please feel free to contact me if you need advice on this subject.

2. Put in place processes for ongoing education for all members of staff around cyber security and data protection.

Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection. To help with this, we have put together a free staff training document, “Best Security Practices for Staying Safe Online”, which you may download here. To help with this, we have put together a free staff training document, “Best Security Practices for Staying Safe Online”; to request a copy please email me at at@xc360.co.uk

3. Review Your Backup and Disaster Recovery procedures.

GDPR imposes an obligation to look after the personal data of candidates, clients and employees which is entrusted to your agency. This includes backing it up so that in the event of an IT problem, a data corruption, a natural disaster or a cyber attack you have backups from which you can accurately restore that data in a timely fashion. As a minimum, I would suggest that you should be backing up your data daily, but in reality most agencies are now looking at much more frequent backups – in some cases as often as every 15 minutes, or via real-time replication.

You can read more about good practice around data backups and recovery procedures in my blog “Preparing Your Recruitment Agency for GDPR: Data Backup and Recovery” [link to http://www.it-for-recruitment.co.uk/2017/07/preparing-your-recruitment-agency-for.html]

4. Create a breach notification plan. 

This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your agency.

If you are concerned about your agency’s GDPR compliance position, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to arrange a no obligation conference call or meeting.

_________________________________________________________________________________

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website www.xc30.co.uk/recruitment

Wednesday, 9 August 2017

GDPR in Recruitment – 7 Top Tips for Compliance (Part 1)



The new EU General Data Protection Regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the agency concerned highly exposed to brand damage and potential customer pay outs.

So what do recruitment agencies need to be doing to prepare for GDPR?

Well this is a big question, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance. And whilst you may think you know where your data is, I would caution that identifying where your data is can actually be a much more complex process than you may think. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails? And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your agency is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards.

2. Identify threats to this data. This could include things like ransomware attacks, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if agencies are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

You can find more information about protecting your data from insider threats in my blog “Preparing your Recruitment Agency for GDPR: Protecting your Data from Insider Threats”, whilst there is more information about ransomware threats and their prevalence and impact on recruitment agencies in this article 

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. Long gone are the days when some anti-virus software and a firewall were all that were needed. Nowadays the type of technology we are talking about will include:
  •  Virus protection, ideally from multiple vendors 
  •  Malware protection 
  • Ransomware protection 
  • Behavioural monitoring software that will monitor and block applications which are behaving suspiciously 
  • Software restriction policies 
  • Systems for applying operating system and application security updates to servers, PCs and laptops promptly 
  • Device monitoring software to flag unusual usage statistics which indicate a device may be compromised 
  • Email filtering 
  • Website filtering 
  • Constantly updated firewall protection, ideally from multiple vendors 
  • Encryption of stored data 
  • Encryption of data in transit 
  • Data loss/leakage prevention technology 
  • The ability to remotely wipe data from any user device that is lost or stolen 
  • Strong passwords or two factor authentication 
  • 24/7 monitoring against threats ű
You can find more information about Data Access Control procedures in my blog “Preparing for GDPR: Securing your Recruitment Agency’s Data - Part 1”, whilst there is more information and tips around management of cyber security risks in this article

In my next blog, I will be sharing 4 more tips for GDPR compliance. In the meantime, if you are concerned about your agency’s GDPR compliance position, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on at@xc360.co.uk or ab@xc360.co.uk when we will be happy to arrange a no obligation conference call or meeting.
 _________________________________________________________________________________

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website https://www.xc360.co.uk/recruitment/