In my previous blog, I talked about the need to understand where your recruitment agency’s confidential data is. Once you have this understanding, the next step is to understand how you secure it. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).
Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your recruitment agency’s data, and forms an important part of preparing your agency’s information systems for GDPR compliance.
GDPR places accountability on recruitment agencies to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that the recruitment industry is fundamentally all about dealing with the storage and movement of personal data, this is likely to cover the vast majority of an agency’s data and activities.
Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.
Nowadays, it is also likely that external organisations and third parties such as outsourced payroll providers or organisations carrying out background checks will have access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.
Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to company security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.
Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.
I hope this has given you a useful insight into some of the key areas to consider around access control when preparing your recruitment agency for GDPR. If you need help preparing for GDPR, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email email@example.com, when I will be pleased to help.