Wednesday, 25 October 2017

Preparing your Recruitment Agency for GDPR: Disaster Recovery Planning

For those of you who have been following my recent series of articles on Preparing your Recruitment Agency for GDPR, I wanted to put pen to paper on one final topic on this theme; that of disaster recovery planning.

GDPR places an obligation on your agency to safeguard the personal data which it holds, and my previous articles have addressed key challenges around day-to-day ways to protect your data through effective risk management in relation to cyber security, insider threats and data backup.

However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the recent Wannacry ransomware attack that so devastated parts of the NHS to see the reputational damage and compliance breaches that can be caused by such an eventuality. It is therefore important from a GDPR perspective to have the appropriate incident response and recovery plans in place to handle such a situation.

Whilst having a technical disaster recovery plan is vital to recovering systems, it is equally important for the business continuity plan to cover how you would communicate details of an IT failure or data breach to customers, staff, suppliers, the Information Commissioners Office and the public at large to minimise the financial and reputational damage to your agency. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many recruitment agencies I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC global data protection index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with IT downtime caused by ransomware attacks in particular often running into a week or more.

It is also critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. Many businesses I work with had put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology has moved on significantly, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that recruitment agencies we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:
  • How long could you afford for each of your various IT systems to be down for?
  • How much data, if any, could you afford to lose?
  • Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
  • Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems?
  • In the event of a major disaster what hardware would you restore your backups onto?
  • If your offices were incapacitated (or the emergency services wouldn’t allow you access to your premises) where would you work from and how would you connect to your recovered systems? 
Tests of disaster recovery plans also need to be documented, so there is clear evidence that testing has been conducted, the plan has been reviewed and any necessary remedial actions highlighted by the test have been actioned.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing your agency for GDPR.

Should you feel that your agency’s current disaster recovery arrangements are not adequate for GDPR, then Xara Computers can help. For those businesses with on-premise servers, we offer effective disaster recovery solutions that ensure all data is protected and can be recovered fully and in a timely fashion. While for those agencies looking to move to a private cloud environment in order to facilitate remote working, our flagship product, the XC360 Hosted Desktop for Recruitment Agencies, provides highly secure protection of both your live and backup data, incorporating fully managed and fully tested disaster recovery provision as standard. For more information, please do not hesitate to contact me on 0208 732 5656 or email me on when I will be happy to arrange a no obligation conference call or meeting.

Future articles will be posted to my blog, which has been designed to keep owners and Directors within Recruitment agencies up-to-date with IT matters that affect the recruitment sector. As one of my valued recruitment contacts please feel free to follow the blog and contact me at any point should you need advice on compliant IT systems for recruitment agencies.

Xara Computers flagship product, the XC360 for Recruitment private cloud platform, provides recruitment agencies with a fully managed, highly secure, UK based remote desktop running all their own agency’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client and candidate data is centralized and secure. For more information please visit our website