The new EU General Data Protection Regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.
Failure to comply will have potentially catastrophic implications for companies, for two reasons:
1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the agency concerned highly exposed to brand damage and potential customer pay outs.
So what do recruitment agencies need to be doing to prepare for GDPR?
Well this is a big question, but to give you a flavour, the type of things you should be considering include:
1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance. And whilst you may think you know where your data is, I would caution that identifying where your data is can actually be a much more complex process than you may think. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails? And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.
Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your agency is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards.
2. Identify threats to this data. This could include things like ransomware attacks, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if agencies are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.
You can find more information about protecting your data from insider threats in my blog “Preparing your Recruitment Agency for GDPR: Protecting your Data from Insider Threats”, whilst there is more information about ransomware threats and their prevalence and impact on recruitment agencies in this article
3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. Long gone are the days when some anti-virus software and a firewall were all that were needed. Nowadays the type of technology we are talking about will include:
- Virus protection, ideally from multiple vendors
- Malware protection
- Ransomware protection
- Behavioural monitoring software that will monitor and block applications which are behaving suspiciously
- Software restriction policies
- Systems for applying operating system and application security updates to servers, PCs and laptops promptly
- Device monitoring software to flag unusual usage statistics which indicate a device may be compromised
- Email filtering
- Website filtering
- Constantly updated firewall protection, ideally from multiple vendors
- Encryption of stored data
- Encryption of data in transit
- Data loss/leakage prevention technology
- The ability to remotely wipe data from any user device that is lost or stolen
- Strong passwords or two factor authentication
- 24/7 monitoring against threats ű
In my next blog, I will be sharing 4 more tips for GDPR compliance. In the meantime, if you are concerned about your agency’s GDPR compliance position, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on email@example.com or firstname.lastname@example.org when we will be happy to arrange a no obligation conference call or meeting.
Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please visit our website https://www.xc360.co.uk/recruitment/