Our information under attack
The recruitment sector is no stranger to the issue of cybersecurity. Monster.com suffered cybersecurity breaches in 2007 and 2009, potentially involving up to 4.5 million people. More recently, Michael Page had to contact 780,000 people registered with it, to inform them about the October 2016 data breach which was attributed to lax security by technology consultancy, CapGemini.
The scale of these companies and their databases may make these incidents seem remote to smaller agencies. However, perhaps the ICO’s January 2017 prosecution and the conviction of a recruiter brings the problem closer to home. Her crime? She had undertaken the none too uncommon practice of emailing herself around 100 client contacts so she could pursue them in her new job.
In the wider world, hardly a week passes without some major IT security story grabbing the headlines. If it is not computer malware such as a virus or a ransomware attack, it is often the theft by hackers of large amounts of customer information. Sometimes sold on the dark web, or published for free download by cybercriminals and the hacker ‘community’, this is often used to fuel scams via the telephone, phishing attacks or fraud, based on identity theft.
The attitudes of many organisations and businesses to data has been the cause of much concern. The Facebooks and Googles - the multinational corporations that have triumphed by exploiting the internet - have evolved some highly questionable positions and practices.
But it is not just the internet giants. It is hard to imagine a business of any type or size today that doesn’t use digital technology to record, store and process customer and transactional information. Many have a less than satisfactory approach to information security. Today’s internet connected business technologies simply create data pathways which unscrupulous technology experts are able to exploit, either to infiltrate malware or to steal information.
Navigating such pathways is often a matter of significant complexity. And it’s not just the threat of the tech experts in cybercrime gangs which are sometimes better organised and are at least as highly skilled as their counterparts working as IT practitioners inside organisations and businesses, or for technology service providers.
In the hands of enthusiastic amateurs, such as bored teenagers, hacker toolkits enable anyone with some basic knowledge to find an attractive alternative to immersive gaming. Among this fraternity, bragging rights seldom come any bigger than saying you have broken into the Pentagon, NASA or some such other leading organisation.
In the midst of all this, we might be forgiven for thinking that something, somewhere is terribly wrong with our approach to securing data and our attitudes to information security. Fortunately, this is all about to change.
Enter GDPR
On 25th May 2018 the European Union General Data Protection Regulation (EU-GDPR) comes into force. This equates to a game-changer and it is one of most significant shake ups of information security for many years. The GDPR applies to any organisation or business, world-wide that processes the information of EU citizens.
As the UK is set to leave the EU, the UK government is writing the GDPR as a legislative instrument into UK law. This is necessary to harmonise data security standards across Europe, avoiding barriers to trade and preserve security information sharing to combat crime and terror.
At first glance, the chief organising idea behind the compliance framework seems to be protecting the rights of individuals and empowering us all to have greater control over our personal information. For example, under GDPR, one of the cornerstones is that we can ask to see the data organisations and businesses hold about us and ask them to delete it, if we so wish.
To provide the ability for organisations to manage data so that they can execute such requests, GDPR creates a robust information security framework and in turn a safer, more secure digital information environment. And beyond software, systems and best practice, it promotes a cultural shift in attitudes towards treating personal data more appropriately and with greater respect.
At its heart, GDPR makes organisations and businesses which collect and process personal information more accountable and responsible for multiple aspects of handling data, including:
- Protection
- Storage
- Usage
- Processing
- Sharing
Data privacy and recruitment
In the shape of CVs containing educational and employment histories, qualifications and accreditations and copies of passports and driving licenses, recruitment firms hold some of our most important personal details. Add in the results of psych tests or other selection methodologies, and it is likely the majority of individuals would want to see very high standards of data security in place. Indeed, perhaps the only data that many would attach a higher privacy value to would be financial information, including access to accounts and medical histories.
Image information such as CCTV footage, and biometric data such as fingerprints and DNA enable individuals to be recognised; widespread use of iris and retina scan identification may be the stuff of sci-fi, but it is unlikely to remain so forever. The whole issue of privacy is set to intensify in line with the mushrooming of data and the need for security.
When a candidate or a contractor applies for a role, inevitably, at some stage in the selection process, personal information is shared. Once shared, what protocols govern how the organisation or business that receives the data protects, stores, uses, processes and shares the data?
Where is the UK recruitment sector on GDPR?
To gauge the level of preparedness across the UK recruitment sector in relation to GDPR, we conducted two short online surveys. Firstly, to get the view from the inside, one survey was aimed at recruitment firms. Secondly, to get the view from some of those closest to the issues, we surveyed contractors and temps.
ETZ Recruitment Agency Survey
Recruitment Agency Data Security Survey
1. Have you heard of the GDPR (General Data Protection Regulation)?
2. Do you have a good understanding of the importance, if any, of GDPR for recruitment agencies?
3. Does your agency have in place an IT or information security policy?
4. Do you control access by agency staff to CV and candidate contact data using secure passwords or other security measures?
5. Do you engage with 3rd party firms, such as clients, on the assumption that IT security, confidentiality and privacy is a primary consideration?
6. Do you use IT service providers to look after any of your systems, or software vendors to provide cloud applications, such as an Applicant Tracking System, ATS?
7. Does your agency have in place an IT or information security policy?
8. Do you control access by agency staff to CV and candidate contact data using secure passwords or other security measures?
9. Do you engage with 3rd party firms, such as clients, on the assumption that IT security, confidentiality and privacy is a primary consideration?
10. Do you use IT service providers to look after any of your systems, or software vendors to provide cloud applications, such as an Applicant Tracking System, ATS?
Key findings from agency responses
- There is a significant gap in understanding about the need to prepare for GDPR
- There is good awareness of GDPR (90%). However, with 19% not understanding the importance of GDPR for recruitment agencies, there is still a lot of work to be done.
- Recruitment industry bodies and trade associations should do more to close the gap and help agencies get up to speed.
- There is a strong culture of responsibility and data security best practice is widespread
- With 84% having a policy based approach to IT and/or data security and 87% using passwords or other methods to control access, best practice for data security is a strong trend within the recruitment sector.
- GDPR is set to improve this.
- Attitudes to data security and privacy are generally good
- There is a widespread assumption of high standards of IT Security, confidentiality and privacy (87%) when sharing data with 3rd party organisations, such as clients or service providers.
- GDPR is likely to advance the cultural acceptance of greater respect when handling personal data.
- Significant numbers of recruitment firms solely rely on the use of on-premise systems or are self-sufficient in managing technology
- With 87% responding positively when asked about the use of outsourced IT and cloud services, the remainder (13%) are reliant on in-house technology systems run by internal IT teams. This may represent a weakness in physical security as few conventional office environments are as secure as purpose built data centres which host cloud services and applications.
- GDPR may force some companies to shift to outsourced services and make greater use of data centre hosted, online applications in the cloud.
- There is a very high expectation for 3rd party software and services to meet security compliance standards
- 96% expect 3rd party software, services and applications to be secure. This assumption runs counter to one of the principles of GDPR, where the ultimate responsibility for compliance is with the agency. Compliance failure under GDPR cannot be defended by blaming a 3rd party supplier or service provider.
- Agencies need to take control of GDPR and place a strong emphasis on selecting technology partners with GDPR compliance that can be verified
- The vast majority of agency respondents think it is unfair to hold agencies responsible for the security failings, such as non-compliance, of 3rd party software and IT service providers.
- With 15% of agency respondents believing it is fair that the ultimate responsibility for security and compliance should rest with the agency, there is a need for attitudes to align with GDPR.
- There are low-levels of data misuse within the recruitment sector
- With 3% admitting to sharing or selling data outside of normal business process and 6% having knowledge or suspicion of unauthorised data sharing, a small minority engage in the misuse of personal information entrusted to recruitment agencies.
- There will always be those that seek to operate outside the regulatory codes and laws. GDPR is set to minimise the potential for misuse and theft, whether perpetrated by rogue employees or within organisations where there is a culture of malpractice.
ETZ Contract and Temporary Worker Data Security Survey
Responses from contractors and temps to 10 short specific questions with "Yes" or "No" answers.
1. Are you satisfied recruitment agencies always handle your personal data in a way that protects your privacy?
2. Have you ever felt a recruitment agency misused details in your CV or contact information?
3. Are you satisfied with recruitment agency timesheet and payment processes?
4. Have you ever been paid late because of delays in processing paperwork or timesheets?
5. Have you ever missed a credit card, rent, mortgage or other debt repayment because an agency paid you late?
6. Do delays to payment affect people’s attitudes to work, their employers or productivity?
7. If a recruitment agency has its data stolen, is it the fault of the companies that provide its IT services or make its software?
8. If a recruitment agency has its data stolen by an internet hacker, is it fair to blame the agency?
9. Is it fair to blame the agency if your data was stolen by an ‘insider’, someone employed by the agency?
10. Have you heard about GDPR, the new data security standard?
Key findings from contract and temporary worker responses
- There is significant room to improve the levels of satisfaction around the way agencies handle data
- With 73% of respondents satisfied that agencies handle data appropriately, this leaves 27% of contractors and temps harbouring the perception that agencies don’t always treat it with respect.
- Agencies could do better in promoting messages about privacy and high standards of practice for information security.
- Privacy could be exploited as a competitive differentiator in the marketplace. A strong message around data security and protecting data could form part of an agency’s Unique Sales Proposition (USP), helping attract contractors and temps, as well as clients.
- Over one-third of respondents think agencies misuse CV or contact information
- 34% of respondents have strong perceptions that agencies have misused personal information taken from CVs or their contact data, like email addresses and phone numbers.
- Along with strong messages that position an agency as having high standards of security and compliance, when GDPR takes effect, there is going to be an increased emphasis on transparency.
- Agencies need to address issues associated with back office processing of timesheets and payments
- 75% of respondents expressed satisfaction and the remainder were unhappy with agency timesheet and payment processes, with 39% indicating they had been paid late because of delays resulting from back office processing.
- It is in the interests of recruitment agencies to seek out solutions which improve back office processes. Eliminating manual processes and exploiting the benefits of technology transforms efficiency and reduces back office processing costs by up to 85%.
- Agencies should take steps to reduce late payment
- Late payments have caused 14% of respondents to miss credit card, rent, mortgage or other debt repayment schedules and 81% think this shapes attitudes to work, employers and productivity.
- To foster better relationships with contractors and temps, agencies should prioritise initiatives which reduce late payments because of the strong negative impacts of financial difficulties.
- Agencies need to do more to secure data and take responsibility for the information entrusted to them to prevent misuse and theft
- Significant majorities of respondents think an agency is responsible if data is stolen because of the failings of 3rd party software vendors or service providers (67%); is stolen by hacking (57%); or is stolen by an agency ‘insider’ (81%).
- GDPR is aligned with this thinking. It enshrines responsibility for preventing data loss with recruitment agencies, regardless of whether the loss is due to non-compliance of a 3rd party supplier or ‘insider’ activity.
- There is low awareness of the GDPR among agency workers
- With 21% of contractors and temporary workers having heard of GDPR, almost four-fifths of respondents are not aware of the legislation and its significance for the future protection of personal information.
- As awareness grows, agencies are likely to come under increased scrutiny from the eyes of those that choose agency-based employment as a source of income.
The opportunity of the GDPR for recruitment agencies
There is a significant opportunity for many recruitment firms to exploit GDPR to obtain competitive advantage.
The opportunity provides the chance to explore the potential for:
- Optimising business processes
- Examining how your firm executes its business processes to identify where they can be streamlined.
- Leveraging technology to increase efficiency
- Consider the case for automation and eliminating manual processes to speed things up and transform efficiency.
- Embrace the GDPR rather than viewing it as a compliance burden
- Enhance business confidence through better information security, minimise the potential for IT security failures and PR disasters.
Some sugested next steps
- Enter a dialogue and seek guidance
- Join the conversation with industry peers and obtain counsel from recruitment industry bodies and trade associations.
- Conduct a root and branch review of technology within the firm
- Consider seeking expert professional advice from technology firms which specialise in the recruitment market and that offer GDPR consultancy services.
Download full GDPR for recruitment agencies report
Book a Free Demo
See how much time ETZ can save you
The best way to see ETZ is with a quick online demo. We’ll show you how you can reduce paperwork and save up to 85% of your agency’s back office processing costs.
Simply fill in the form, or if you can’t wait give us a call on 0800 311 2266 and talk to our friendly team.