With Digital Minister, Matt Hancock, having now formally announced the government’s intent to overhaul its data protection laws, in the form of a new Data Protection Bill, which will enshrine the EU’s forthcoming GDPR into UK law, as well as helping to prepare the UK for the future after Brexit, I thought today it would be useful to expand on some of the actions that recruitment agencies need to be taking in order to ensure they are compliant with the new legislation.
Recruitment agencies hold a wealth of confidential personal data in the form of candidate details, as well as email addresses and personal details relating to clients, prospects, suppliers, their own employees, business partners and other third parties. The reality is that since, under the GDPR, even something as simple as a name, email address or employee reference number counts as personal data, pretty much every piece of data that a recruitment agency holds is likely to be classed as personal. As such your agency has an obligation to safeguard that data – including ensuring that it can’t be accessed by non-authorised personnel (whether those be employees or outsiders) and ensuring that backup copies are held which can be restored in the event of a disaster.
Given you also have to make personal data available to the individual to whom it relates should they request it, and in addition you have the obligation to delete all data about an individual should they request that, it is vital that you understand what personal data you are holding and where it is stored.
And this may not be as obvious as it seems at first glance. While much of your data is likely stored on your in-house servers, these days it is also likely that as much data again is stored outside of the safe boundaries of your in-house network. Take data or email that is synchronised to individual’s smart phones, home computers or tablets. Or data that has been shared with third parties, like for example outsourced payroll providers. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.
Data that is held in the cloud is another example of data that is actually outside the secure bounds of your in-house network. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your agency is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area (unless they have equivalently strong data protection standards).
There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee home computers, smartphones or tablets, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone.
There is much to consider when preparing your recruitment agency for GDPR, but understanding your data is the first essential step towards compliance, because until you understand what data you have and where you are storing it, you cannot demonstrate that you are safeguarding it appropriately or indeed meet your legal obligations to provide a copy of, or delete, the data you hold about any given individual.
At Epoq IT we work with our clients to help them bring their data back under control, through effective use of technology coupled with business processes and procedures. This ensures that your business is put back in control of your valuable data, that your data can be safeguarded appropriately in readiness for GDPR and that your risk of a security breach is minimised.
If you would like to find out more about the ways that Epoq IT can help your recruitment agency prepare for GDPR, please do not hesitate to contact me on firstname.lastname@example.org or telephone 01494 444065 to arrange a no obligation conference call or meeting.