z
29 October 2019
Guidance - Recruitment, Umbrella

Protecting your data

Regardless of the relatively new General Data Protection Regulation (GDPR) the recruitment industry have always had a responsibility to protect the data that they control. Whether you are an agency or an umbrella, failure to protect this data presents a significant reputational risk to your business and the ramifications of which could prove to be catastrophic.

Whilst digital or cyber related risks continue to emerge, there is still the physical risks to consider which are of equal importance, so it is imperative that you consider both. The fines and penalties that could be imposed by the Information Commissioner's Office (ICO) are not exclusive to your digital risk, this should help focus our mind and as such, we should realise how important it is to make appropriate measures to keep ALL of our data safe.

Best practice

Recognising that the physical data security risk is just as important as electronic data, you may wish to consider implementing the following within your business practice:

  • A policy for taking files or client information out of the office – ensuring that staff only take the documents that are essential to their meeting
  • Encryption to all portable devices (laptops, iPads and phones);
  • Ensuring that you have an inventory of all your equipment
  • Adding privacy screens to laptops and iPads so if working on the go, others will not be able to review the information and data your staff will be working on
  • If working on a physical file (paper) when away from the office, keep this close and guarded – you don't know who may be overlooking you especially when doing so in your local coffee house
  • Install a clear desk policy – ensure that any client information is locked away and safe at night - especially as many of us have cleaning services in our buildings when our staff are not around
  • Confidential waste disposal

  • Importantly advising your team of the steps to take should a device or sensitive information be lost

The Cyber threats that we are each faced with today continue to increase and evolve; as we become more reliant upon technology this shows no sign of reducing anytime soon. This is big business for these career criminals and to make matters worse for us all, their evolution is often quicker than ours as they become more sophisticated in their approach – it is therefore essential that we do everything possible to protect our businesses from them.

Data and your staff

Data breaches are becoming an increasingly common occurrence reported in the national news, but only the high profile ones tend to get reported and there are numerous smaller ones that don't. Firstly to combat this it is important that we understand and appreciate; what data is processed, how and where it is stored (including the back-ups that are in place), the flow of this data through your practice, how your teams use this data and who else may have access to it. An important consideration is that just because we may outsource IT functions, it does not mean that we are outsourcing our responsibility.

For service orientated business, our staff are our biggest asset but they are also our biggest weakness as they can create greater vulnerability when it comes to data and cyber related risks that we are each faced with today. As such a large proportion of cyber breaches stem from employees, it is essential that we continually raise their awareness and educate them around these risks.

  • Regularly train and remind staff of the importance of information security
  • Where possible limit their ability to put data at risk with robust information security policies such as:
    • Locking down CD-ROM and USB access to your computer hardware – This measure will help prevent viruses being introduced to your systems
    • Impose frequent requirements of password changes.
    • Update your computer hardware regularly;
  • Ensure that you have a robust procedure in place to ensure that PCs, laptops and ALL other machines are up-to-date
    • Protect your network – invest in appropriate firewalls and anti-virus software.
    • Remove the autocomplete function from your email software to prevent the wrong data being sent to the wrong person, or have a verification box to be ticked prior to release of any external email.

    • Introduce a policy on your external guests; keep any visitor to your office away from your hardware - key loggers could be manually installed.

It is quite evident that Data breaches or incidents are more likely to happen so having a plan in place when or if this occurs is key. The plan needs to consider both physical and digital risks and include a process to advise the ICO and affected individuals as required by the GDPR. Some breaches are required to be notified to the ICO within 72 hours of discovering the breach, so having an effective plan in place is important to ensure these deadlines are adhered to.  

In the event of a breach, having appropriate insurance in place should be viewed positively by the ICO as you will have the infrastructure to minimise any damage to your clients.  Such coverage could help you determine; what data was stolen, identify who the potentially affected individuals are, notifying them appropriately, whilst giving them peace of mind that your insurance will monitor their situation to safe guard them and as such protecting your reputation.

No one is too big or too small to be affected so I encourage you to investigate that you have the appropriate measures and insurance in place. If you would like to find out more please contact myself or one of the Lockton team who would be very happy to assist.