GDPR places accountability on recruitment agencies to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that the recruitment industry is fundamentally all about dealing with the storage and movement of personal data, this is likely to cover the vast majority of an agency’s data and activities.
In my recent series of blogs, I have been discussing the steps which recruitment agencies need to take in order to protect their data in readiness for GDPR.
Today, I wanted to share some pointers on data backup and disaster recovery, as from a GDPR compliance perspective this forms an important component in demonstrating that your agency is taking due care of the personal data which is entrusted to it.
Backups form a key component in the day-to-day running of any IT system. There are a variety of different types of backup, such as backups to the cloud, backups to removable media and real-time replication to other servers.
It is important to realise that different types of backups are useful in different scenarios, and so more than one type may need to be employed to give you full resilience. For example, cloud backups are a useful way of keeping a copy of your data offsite, which provides for extra protection in the event of a disaster on your premises, which might wipe out locally held backups as well as the live servers. On the other hand, removable media provides a very useful form of backup as it is held off-line and therefore can’t be attacked by cyber security threats such as ransomware. Offline backups can also be useful to facilitate fast restoration, since you do not need to pull the data back over the Internet.
Real-time replication to another server works well when no downtime can be tolerated, but bear in mind if a corruption or accidental deletion of a file occurs, that this will be replicated in real-time to the backup server too.
So there are a number of considerations to any company’s backup strategy and it may well be appropriate to employ different solutions for different applications or servers.
Full disaster recovery is also an important consideration under GDPR, since if your agency is unlucky enough to suffer a full system failure, be that through a cyber attack like the recent WannaCry ransomware attack, or due to more mundane reasons such as a hardware failure, fire or flood, you need to be able to demonstrate that you have suitably protected the personal data that you store and can recover it successfully.
The first key consideration here is how long could you live for without each of your IT systems and data? This is likely to vary from system to system, for example you may be able to tolerate no downtime on your email server, but it may be acceptable for an archived projects folder to be restored within 72 hours. So your plan needs to go through each system you use, considering how long you could live without it. The second key consideration is around data loss. Again for each system you need to be clear how much data loss, if any, would be acceptable and tailor your disaster recovery systems accordingly. If no data loss is acceptable, then a real-time replication solution should be considered. Whilst if some data loss is acceptable in a disaster scenario, then you may be able to live with backups that run daily or hourly.
Finally, never underestimate the importance of having an up-to-date, written disaster recovery plan and having tested it on a regular basis. This is something I will be covering in more detail in my next blog.
I hope this has given you a useful insight into some of the key areas to consider around backup and disaster recovery when preparing your recruitment agency for GDPR compliance. If you need help preparing for GDPR, or indeed with any element of your IT system, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org, when I will be pleased to help.