For Recruitment Firm Founders

Someone just got
into your Gmail.
The 72-hour clock
is already running.

Your business runs on Candidate PII — names, CVs, salary expectations, contact histories. Every candidate you have ever spoken to. One compromised account means the ICO gets a call within 72 hours. Not a choice. A legal obligation.

Get a Free Security Audit See the Managed Service
GDPR Notification Window Breach Detected
38 Hours
14 Minutes
07 Seconds
Data Exfiltration confirmed. Attacker accessed Gmail for 4 days before detection.
Candidate PII exposed. 3,200 candidate records — CVs, contact details, salary data.
ICO report outstanding. Article 33 requires notification. No MFA log to show as mitigation.
Client contracts at risk. Two enterprise clients have data handling clauses. Legal reviewing.
Bulwark clients: MFA enforced. DMARC active. Incident log ready for ICO submission.
Article 33 GDPR — 72hrs from awareness Audit my risk →
£17.5M
Maximum ICO fine for serious
GDPR breach (4% global turnover)
72hrs
To report a breach to the ICO.
Clock starts the moment you know.
£13k
Average lost placement revenue from
a total business halt — just one week
94%
Of breaches start with a
compromised email account
The Liability Stack

A Gmail hack isn't an IT problem.
It's a liability event with three fronts.

The ICO fine is the number everyone quotes. It's rarely the largest cost. The real damage comes from three directions at once, and they all land before you've had time to brief a solicitor.

Liability 01
£17.5M
Maximum ICO fine

Regulatory Liability

Recruitment firms are data controllers under UK GDPR. You hold Candidate PII: full names, home addresses, salary histories, employment records. When that data is accessed without authorisation — through a compromised inbox, a phishing link, an account with no MFA — you are legally obligated to report it within 72 hours.

The ICO's first question is always the same: what security measures were in place? "We hadn't got round to enabling MFA" is not a mitigation. It is an aggravating factor.

→ Bulwark builds your ICO evidence trail
Liability 02
Total halt
Business continuity cost

Commercial Liability

A compromised Google Workspace doesn't just expose data — it stops your business. Every inbox is inaccessible while you investigate. Every candidate submission in-flight goes silent. Every client relationship you are actively managing goes dark. A total business halt at a 10-person recruitment firm costs £10,000–£18,000 in missed placements in a single week.

Enterprise clients with data handling clauses in their contracts have grounds to terminate. That relationship took 18 months to build.

→ Bulwark includes daily backup — your data restored in hours, not weeks
Liability 03
Personal
Director liability

Candidate Liability

The candidates whose data was exposed are data subjects with rights. They are entitled to know. They can make Subject Access Requests. They can claim compensation under Article 82 if they suffer harm — financial, reputational, or emotional distress — as a result of the breach. Each candidate is a separate claimant.

As the founder and registered data controller, this liability flows through to you personally. An ICO enforcement notice names the data controller. That's not the limited company alone.

→ Bulwark's monthly reports prove you acted in good faith
The 72-Hour Reality

What the first three days
actually look like.

The 72-hour GDPR reporting window is not 72 hours to fix the problem. It is 72 hours to report it — whether you have fixed it or not. Here is the realistic sequence for a recruitment firm without the right controls in place.

Hour 0 — Monday 07:14

Attacker enters via phished Gmail credentials

A consultant clicked a "shared drive" link on Friday. The attacker now has full inbox access. They have read 4 days of emails including candidate submissions, salary negotiations, and client briefs containing Data Exfiltration of 3,200+ candidate records.

Hour 31 — Tuesday 14:22

Anomaly spotted. Panic begins.

A candidate reports receiving a phishing email from your consultant's address. You check the account. You see the login from an IP in Eastern Europe. You now have legal awareness of a breach. The 72-hour clock started 31 hours ago.

Hour 38 — Tuesday 21:08

Solicitor briefed. No incident log exists.

Your solicitor asks for your security policy, your MFA records, your access logs. You have none. There is nothing to show the ICO as evidence of good-faith compliance. The absence of documentation is itself a finding in an enforcement investigation.

Hour 58 — Wednesday 17:00

ICO report submitted. Business halted.

You report. Your inbox is still inaccessible during forensic review. Three enterprise clients have called. You cannot tell them the scope of exposure because you have no audit trail. Two are reviewing their contracts.

With Bulwark — Same breach, different outcome

Incident detected at Hour 0. Contained at Hour 2.

24/7 endpoint monitoring flags the anomalous login. MFA blocks lateral movement. Activity logs show exactly which data was accessed. Bulwark prepares the ICO submission. Your clients get a factual briefing within 4 hours. Business continues.

ICO Investigation — Your Responses High Risk
Q1 — Was MFA enforced on all accounts?
No. It was optional. We recommended it.
Q2 — When were you first aware of the breach?
Tuesday afternoon. But the login logs show Monday morning.
Q3 — What access controls govern Candidate PII?
It's all in Gmail. We don't have a formal access policy.
Q4 — Do you have a Data Processing Agreement?
We have a privacy policy on our website.
Q5 — Can you provide an audit log of who accessed the data?
No. We don't have those controls in place.
Every "No" in an ICO investigation is an aggravating factor that increases the likelihood of a formal enforcement notice and a larger fine. None of these answers requires anything more than a properly configured Google Workspace.
Same Questions — With Bulwark Mitigated
Q1 — Was MFA enforced on all accounts?
Yes. Enforced and logged. Evidence attached.
Q3 — What access controls govern Candidate PII?
Documented access policy. Shared Drive permissions scoped by role.
Q5 — Can you provide an audit log?
Yes. Workspace Admin audit log exported. 90-day retention.
The Managed Security Stack

Everything the ICO expects
to already be in place.

Bulwark builds and maintains the technical controls that turn an ICO investigation from an enforcement action into a closed case. Not a checkbox exercise — the actual configuration, the actual logs, and a consultant who knows what each control means in a breach scenario.

MFA Enforced Across Every Account

Not recommended. Not optional. Enforced at the Admin Console level — no account can log in without a second factor. This is the single control the ICO looks for first and the one most firms have not actually turned on.

→ Candidate PII requires a key the attacker doesn't have

DMARC, DKIM, SPF — Enforced

Your email domain is the mechanism by which candidates and clients trust you. Without DMARC enforcement, anyone can send email from your domain. The phishing attack that compromised your consultant's credentials probably came from a spoofed version of a client address. Bulwark closes that door.

→ No one impersonates your firm to your candidates

Audit Logs — Retained and Reportable

Google Workspace logs every login, every file access, every admin action. By default, most firms never look at them. Bulwark monitors them monthly and retains export snapshots — so when the ICO asks for an access log from the month before a breach, you can produce one in hours, not "we don't have that."

→ Your Data Exfiltration exposure window becomes provable and bounded

24/7 Endpoint Threat Detection

Every managed endpoint is monitored for behavioural anomalies — the kind of activity that precedes a full Data Exfiltration event. Average time from detection to response: 8 minutes. Average attacker dwell time in unprotected environments: 21 days. That is 21 days of Candidate PII visible to someone who should not have it.

→ 8-minute response vs. 21-day dwell time

Monthly Compliance Report

Every month, you receive a written security review covering MFA status, sharing permissions, email authentication, device compliance, and any risk items. This report is your evidence of ongoing good faith. It is the document your solicitor hands to the ICO to demonstrate that you were not negligent — you were actively managing your obligations.

→ GDPR Insurance built from documented, consistent action

Daily Backup — Business Continuity

If a breach triggers a total business halt, how long before you are operational again? Without backup, the answer is: whenever Google can restore your data, if they can. With Bulwark, your Workspace data — emails, Drive, candidate files — is backed up daily and restorable within hours. The business halt costs days, not weeks.

→ £13k/week halt becomes a £1k/day recovery
The GDPR Insurance Argument

You pay for professional
indemnity insurance.
You should have this too.

Your PI insurance covers claims arising from professional errors. It does not cover ICO fines. It does not cover the cost of a breach investigation. It does not restore a client relationship damaged because their candidates' salary data was exposed. That is what GDPR Insurance looks like in practice — not a policy, but a technical posture that means a breach never reaches the level that triggers a fine.

At £85/user/month, a 12-person recruitment firm pays £1,020/month for complete Workspace security, endpoint protection, backup, and audit evidence. That is the cost of approximately one missed placement. It is not the cost of a GDPR enforcement notice.

Book a Free Security Audit
Without Bulwark
MFA optional — attacker enters on first try
No audit logs — ICO cannot be given evidence
DMARC absent — your domain spoofed against candidates
No endpoint detection — 21-day attacker dwell time
No backup — total halt until Google restores
ICO investigation: no mitigation evidence to present
Candidate PII exposed with no bounded scope
With Bulwark
MFA enforced — credential theft stops at login
Monthly audit logs retained — ICO report-ready
DMARC enforced — your domain is yours
24/7 monitoring — 8-minute avg threat response
Daily backup — business restored in hours, not weeks
Monthly report — documented good-faith compliance
Data Exfiltration scope known and bounded on day one
Free Audit — No Obligation

Find out if your firm would survive a 72-hour GDPR window.

A free 45-minute audit of your Google Workspace against 20 security and compliance controls. We look at MFA, DMARC, access permissions, Data Exfiltration risk, and the five questions the ICO asks first. You get a scored PDF with every finding. No contract, no pressure.

Book My Free Security Audit See a Sample Report

45 minutes. Delivered as a PDF within 48 hours. No contract required.