Next month, we all face a major regulatory change that will impact the way we manage and store candidate and employee data, due to the General Data Protection Regulation (GDPR).

As these new regulations have the potential to negatively impact the processes of attracting talent and manage hiring, we’re working hard to ensure we are keeping our clients ahead of these changes.

What is the GDPR?

The GDPR is EU-wide legislation that will replace the Data Protection Act 1998 in the UK. Intended to strengthen and unify data protection for all individuals within the European Union (EU), it also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Although many companies have already adopted privacy processes and procedures consistent with the directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it goes into effect.

While not yet required for the Americas, GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations.

What is the Purpose of the GDPR?

The purpose of the GDPR is to provide a standard set of data protection laws across all member countries so that EU citizens can clearly understand how their data is being used or raise any complaints.

What are the key privacy and data protection requirements of the GDPR?

• Requiring the consent of subjects for data processing
• Anonymizing collected data to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

What is a Data Controller, and What is a Data Processor?

•  Data Controller - A controller determines the purposes and means of processing personal data.
• Data Processor - A processor is responsible for processing personal data on behalf of a controller.

Who is the Data Controller in the Harri-Customer relationship?

Job seekers set up personal profiles within Harri which the job seeker can use to apply for jobs with any and all of Harri’s customers. This data is controlled by Harri until the job seeker deletes the profile. The data is shared with Harri's customers when a job seeker applies for a role with the customer. 

The customer then becomes a controller with regards to any other personal data of the candidate added by the customer during the hiring process. As Harri and its customers both make decisions on how the personal data of the candidate is processed, both Harri and its customer are deemed to be joint controllers.

What is Harri doing to ensure compliance?

Harri takes the protection of personal data very seriously, as it underpins everything we do. We continue to take advice from our legal partners, and we have enlisted the support of industry experts to ensure that we remain compliant.

Here is how we’ll support our customers:

• An updated Data Sharing Arrangement to reflect GDPR requirements and ensure compliant data transfer with processing outside of the EU and the EEA.
• New product capabilities to assist in compliance with the rights of the data subject. 
• Allowing you direct communication to our Data Protection Officer (DPO) simply by emailing dpo@harri.com.

Here is how we’ll support our candidates:

• Log-In/Sign-Up Disclaimer: When a candidate logs into or signs up for Harri, they will be notified that you, the client, are using Harri as its provider of applicant tracking software. The disclaimer explains that both you and Harri wish to keep and handle their information appropriately. The disclaimer invites the candidate to visit our Fair Processing Notice for more information on how Harri will use their data.  
• Job Post Disclaimer: When a candidate views a job post, they will be notified that you, the client, are using Harri as its provider of applicant tracking software. The disclaimer explains that both you and Harri wish to keep and handle their information appropriately. The disclaimer invites the candidate to visit our Fair Processing Notice for more information on how Harri will use their data.  
• Career Portal Job Alerts Disclaimer: When a candidate chooses to receive job alerts, they will receive a disclaimer stating that by clicking ‘submit’ they have chosen their consent to use the provided data to receive job alerts relevant to the positions and job types they have selected. The candidates are notified that if they change their mind and do not want to be contacted with this information, they can unsubscribe or update their preferences. The disclaimer notes that you, the client, are the data controller and will only use the candidates’ data as explained in our privacy policy.
• E-mail Signature to Walk-In Employees & Uploaded CSVs: If a candidate is a walk-in, they will receive a notification inviting them to see your Fair Processing Notice. They will also be directed to Harri’s Fair Processing Notice if they wish to learn how Harri will use their data. 
• Fair Processing Notices: We provide candidates with access to our clients’ Fair Processing Notices so our candidates know how you, the client, manage their data.

We look forward to assisting your company in their mission to protect the privacy rights of your employees.