INFORMATION SERVICES: CV Insight, How thoughtful IT can scupper employment fraud
Personal data is the lifeblood for CV Insight, a leading pre-employment screening agency based in Harpenden, Herts. But the new and mandatory EU General Data Protection Regulation (GDPR) is tightening up on personal information security so how could Assign-IT help?
CV fraud is on the rise. More and more company HR departments are hiring specialists to vet job applications in an increasingly competitive recruitment market given austerity, high demand by employers for degrees in jobs that don’t require them, and stringent new EU data protection laws.
For the expanding pre-employment screening agency, CV Insight, the way it receives, stores and uses large amounts of personal data is now governed by the EU’s GDPR (effective from May 25 2018) and the UK’s Data Protection Act 2018, a new, wide-ranging set of laws affecting all companies and their data processing activities linked with the EU.
- Provide ongoing IT support
- Prepare for compliance with the EU’s General Data Protection Regulation (GDPR) by adopting the IASME information security framework
- Prepare and certify for the national cyber-security standards schemes Cyber Essentials and Cyber Essentials Plus
- Assist in preparing for ISO 27001 accreditation by independent assessors
GDPR means businesses could receive heavy fines from the EU if they cannot clearly show they have taken all reasonable measures to secure personal/customer data – the key commodity handled daily by the agency in a plethora of credit, identity and educational/professional background checks.
Clients want cast-iron assurance that their data is safe
“We’ve never had anything close to a security breach,” says CV Insight director and joint founder Alex. “But we now have more than 100 clients, including large customers such as retail banks, investment banks and software houses, and a major client has urged us to get certified for the internationally recognised standard ISO 27001, which covers general information security management.
There was only one snag: although ISO 27001 covers a huge range of regulations and some of the GDPR, it does not cover all parts of the regulation. How could the agency be sure it was fully compliant? Clients wanted cast-iron assurance that their personal data was safe. The question was: how to get there? Enter Assign-IT.
“We also had to find a specialist IT company that could give us more proactive, day-to-day support than we were getting,” says Alex. The main catalyst was a constant flow of GDPR detail coming into the office and the desire to get the required accreditations. They were also about to move offices. “Then our website development company recommended Assign-IT.”
Assign-IT support by phone, web or visit
The change was fast. Assign-IT started in earnest after Christmas but really sold themselves earlier when they talked about GDPR, said what was needed, and spelled out the similarities between ISO and IASME, a national information security accreditation scheme that also covers GDPR compliance rules and is particularly suited for SMEs.“They were just so helpful,” says Alex.
What’s more, Assign-IT could ensure the GDPR laws not covered by ISO 27001 accreditation were still complied with by the agency. As an official certification body for IASME, Assign-IT knew GDPR standards backwards and could easily ensure full compliance, saving CV Insight the considerable additional expense and hassle on top of an already expensive ISO standard.
So how did Assign-IT fare in their first six weeks? “To support our IT infrastructure, they immediately took on all our internal laptop support and data and online backups. To ensure we are up to speed for our forthcoming Cyber Essentials accreditation, they changed our anti-virus protection and replaced a number of laptops to meet the required standard.
‘It just takes an asset tag name to fix laptops remotely’
“When a laptop goes down, Assign-IT just needs us to send over the relevant asset tag name, they connect remotely and can normally fix it straightaway via the agent installed on each machine.
“They were in the office several times, first coming on board when we were in our old premises. They then helped us move into another office – our landlord had closed the old one rather suddenly. Assign-IT even brought in a new router during the move just so we could get back up and running again immediately.
“What I like about them is I can get through to their support any time; they are easy to work with, quick to respond and they provide recommendations. The other day they contacted me on their own initiative to suggest we implement a new shutdown policy for our laptops, another great step towards bolstering our information security practices.
“Ask a question and they’ll genuinely try to answer it. They also show you what the problem is so you can avoid it in future.”
Personal document attachments no longer allowed
CV Insight uses an external company to store its data – all personal data is uploaded through a secure website. But Assign-IT highlighted the now even tighter controls required by GDPR, meaning, for instance, that the agency has to direct candidates to upload documents such as passport scans onto a secure website rather than email unencrypted.
The agency is also about to move again to permanent premises and assume control of all its infrastructure – another job for Assign-IT, which has already checked out the new offices for switches, number of laptops needed and type of internet line, and liaised with the landlord on the agency’s behalf in order to get it done early.
“They’ve put all the infrastructure in place, and set up the necessary disaster recovery measures, information storage, and management information systems to meet IASME and ISO 27001 standards. We then just have to turn up, plug in our laptops and phones and get cracking.”
Once the dust has settled, CV Insight plans to complete the process of gaining the national cyber-security qualifications, Cyber Essentials and Cyber Essentials Plus, for which Assign-IT is a certification body. Alex concludes: “We really want to show our clients that we’ll leave no security stone unturned.”