The recruitment sector is no stranger to the issue of cybersecurity. Monster.com suffered cybersecurity breaches in 2007 and 2009, potentially involving up to 4.5 million people. More recently, Michael Page had to contact 780,000 people registered with it, to inform them about the October 2016 data breach which was attributed to lax security by technology consultancy, CapGemini.
The scale of these companies and their databases may make these incidents seem remote to smaller agencies. However, perhaps the ICO’s January 2017 prosecution and the conviction of a recruiter brings the problem closer to home. Her crime? She had undertaken the none too uncommon practice of emailing herself around 100 client contacts so she could pursue them in her new job.
In the wider world, hardly a week passes without some major IT security story grabbing the headlines. If it is not computer malware such as a virus or a ransomware attack, it is often the theft by hackers of large amounts of customer information. Sometimes sold on the dark web, or published for free download by cybercriminals and the hacker ‘community’, this is often used to fuel scams via the telephone, phishing attacks or fraud, based on identity theft.
The attitudes of many organisations and businesses to data has been the cause of much concern. The Facebooks and Googles - the multinational corporations that have triumphed by exploiting the internet - have evolved some highly questionable positions and practices.
But it is not just the internet giants. It is hard to imagine a business of any type or size today that doesn’t use digital technology to record, store and process customer and transactional information. Many have a less than satisfactory approach to information security. Today’s internet connected business technologies simply create data pathways which unscrupulous technology experts are able to exploit, either to infiltrate malware or to steal information.
Navigating such pathways is often a matter of significant complexity. And it’s not just the threat of the tech experts in cybercrime gangs which are sometimes better organised and are at least as highly skilled as their counterparts working as IT practitioners inside organisations and businesses, or for technology service providers.
In the hands of enthusiastic amateurs, such as bored teenagers, hacker toolkits enable anyone with some basic knowledge to find an attractive alternative to immersive gaming. Among this fraternity, bragging rights seldom come any bigger than saying you have broken into the Pentagon, NASA or some such other leading organisation.
In the midst of all this, we might be forgiven for thinking that something, somewhere is terribly wrong with our approach to securing data and our attitudes to information security. Fortunately, this is all about to change.
On 25th May 2018 the European Union General Data Protection Regulation (EU-GDPR) comes into force. This equates to a game-changer and it is one of most significant shake ups of information security for many years. The GDPR applies to any organisation or business, world-wide that processes the information of EU citizens.
As the UK is set to leave the EU, the UK government is writing the GDPR as a legislative instrument into UK law. This is necessary to harmonise data security standards across Europe, avoiding barriers to trade and preserve security information sharing to combat crime and terror.
At first glance, the chief organising idea behind the compliance framework seems to be protecting the rights of individuals and empowering us all to have greater control over our personal information. For example, under GDPR, one of the cornerstones is that we can ask to see the data organisations and businesses hold about us and ask them to delete it, if we so wish.
To provide the ability for organisations to manage data so that they can execute such requests, GDPR creates a robust information security framework and in turn a safer, more secure digital information environment. And beyond software, systems and best practice, it promotes a cultural shift in attitudes towards treating personal data more appropriately and with greater respect.
At its heart, GDPR makes organisations and businesses which collect and process personal information more accountable and responsible for multiple aspects of handling data, including:
In the shape of CVs containing educational and employment histories, qualifications and accreditations and copies of passports and driving licenses, recruitment firms hold some of our most important personal details. Add in the results of psych tests or other selection methodologies, and it is likely the majority of individuals would want to see very high standards of data security in place. Indeed, perhaps the only data that many would attach a higher privacy value to would be financial information, including access to accounts and medical histories.
Image information such as CCTV footage, and biometric data such as fingerprints and DNA enable individuals to be recognised; widespread use of iris and retina scan identification may be the stuff of sci-fi, but it is unlikely to remain so forever. The whole issue of privacy is set to intensify in line with the mushrooming of data and the need for security.
When a candidate or a contractor applies for a role, inevitably, at some stage in the selection process, personal information is shared. Once shared, what protocols govern how the organisation or business that receives the data protects, stores, uses, processes and shares the data?
To gauge the level of preparedness across the UK recruitment sector in relation to GDPR, we conducted two short online surveys. Firstly, to get the view from the inside, one survey was aimed at recruitment firms. Secondly, to get the view from some of those closest to the issues, we surveyed contractors and temps.
1. Have you heard of the GDPR (General Data Protection Regulation)?
2. Do you have a good understanding of the importance, if any, of GDPR for recruitment agencies?
3. Does your agency have in place an IT or information security policy?
4. Do you control access by agency staff to CV and candidate contact data using secure passwords or other security measures?
5. Do you engage with 3rd party firms, such as clients, on the assumption that IT security, confidentiality and privacy is a primary consideration?
6. Do you use IT service providers to look after any of your systems, or software vendors to provide cloud applications, such as an Applicant Tracking System, ATS?
7. Does your agency have in place an IT or information security policy?
8. Do you control access by agency staff to CV and candidate contact data using secure passwords or other security measures?
9. Do you engage with 3rd party firms, such as clients, on the assumption that IT security, confidentiality and privacy is a primary consideration?
10. Do you use IT service providers to look after any of your systems, or software vendors to provide cloud applications, such as an Applicant Tracking System, ATS?
1. Are you satisfied recruitment agencies always handle your personal data in a way that protects your privacy?
2. Have you ever felt a recruitment agency misused details in your CV or contact information?
3. Are you satisfied with recruitment agency timesheet and payment processes?
4. Have you ever been paid late because of delays in processing paperwork or timesheets?
5. Have you ever missed a credit card, rent, mortgage or other debt repayment because an agency paid you late?
6. Do delays to payment affect people’s attitudes to work, their employers or productivity?
7. If a recruitment agency has its data stolen, is it the fault of the companies that provide its IT services or make its software?
8. If a recruitment agency has its data stolen by an internet hacker, is it fair to blame the agency?
9. Is it fair to blame the agency if your data was stolen by an ‘insider’, someone employed by the agency?
10. Have you heard about GDPR, the new data security standard?
There is a significant opportunity for many recruitment firms to exploit GDPR to obtain competitive advantage.
The opportunity provides the chance to explore the potential for:
The best way to see ETZ is with a quick online demo. We’ll show you how you can reduce paperwork and save up to 85% of your agency’s back office processing costs.
Click the button below and book your demo or if you can’t wait give us a call on
0800 311 2266 and talk to our friendly team.