With the GDPR due to be enforced from 25th May 2018, most customers I talk to are now beginning, or well advanced, with their GDPR preparations. This piece of legislation, which replaces our current Data Protection Act, represents the biggest change in data protection legislation in 20 years, and in many cases will require organisations to make far reaching changes to their business processes and IT security in order to demonstrate compliance.
Article 32 of the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ in order to protect the data that they store. As this is (deliberately) left fairly vague, in order to be flexible around future changes in technology and threats, I thought it would be useful today to outline some of the specifics you need to be thinking about, in order to demonstrate compliance.
- Identify what personal data you are holding. Bear in mind that personal information can be as simple as an individual’s name or email address, so the reality is that the vast majority of data that a recruitment agency holds (candidate data, client data and employee data) will fall under the scope of the GDPR.
- In order to protect your data, you first need to understand where it is. Is it all on your servers or are there also copies on employee’s laptops, tablets or home computers? Do you or your staff replicate your business emails (which invariably contain personal details of clients or candidates) to smartphones? Do you allow copies of data to be copied to USB sticks or shared via cloud file sharing services like dropbox?
- Identify threats to your data, which could include things like cyber crime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. Whilst most businesses have some policies and technologies in place to protect them against these sorts of threats, we often find that these were implemented several years ago, and with the fast moving nature of security threats, they are no longer fully effective. In addition many companies have a piecemeal approach of different technology solutions each designed to cover a specific security threat, but no “joined up” solution to make sure nothing falls between the cracks.
- Invest in and implement the right technology to deal with insider and external threats to data. These days such a solution needs to include:-
- Virus protection
- Malware protection
- Ransomware protection
- A system for applying operating system and application security updates to servers, PCs and laptops promptly
- Email filtering
- Constantly updated firewall protection
- Encryption of data in transit
- Data loss/leakage prevention technology
- The ability to remotely wipe data from any user device that is lost or stolen
- A certified system for securely wiping old servers and PCs prior to disposal
- Strong passwords or two factor authentication
- Regular security testing
- 24/7 monitoring against threats
5. Put together a new or updated data protection policy and train employees on it.
6. Put in place processes for ongoing user education for all members of staff around cyber
security and data protection.
7. Put in place suitable processes to back-up your data and make sure that you are testing them to
ensure they work.
8. And finally, for the worst case scenario, create a breach notification plan, which will typically
involve the Board, IT, PR, sales, marketing and HR to ensure that any breach could be
communicated smoothly, accurately and with as little damage to the business as possible.
If all this sounds rather daunting, then please do not hesitate to contact me, as Epoq IT work with recruitment businesses day-in day-out to provide consultancy, technologies and services that ensure your business is keeping its data secure, so we are well versed in ways to address the challenges that GDPR poses. I can be reached on 07894-269600 or via email at firstname.lastname@example.org. More information is also available here