Understanding the difference between Data compliance and GDPR settings

Follow
Available for Roles Super Admin, Admin
Permissions • Manage compliance settings
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise

 

This article depicts updates to data compliance settings included in our 2023 Fall release. With this product update, Lever will migrate customers with local data compliance enabled. Countries with the lawful bias set as ‘Candidate Consent’ will be updated to ‘Legitimate Interest’ for storage and ‘Explicit Consent’ for future job opportunities. Countries with the lawful basis set as ‘Legitimate Interest’ will be updated to ‘Legitimate Interest’ for both storage and future job opportunities.

In Lever, there two different data privacy settings: (1) Data compliance and (2) GDPR. These settings are exclusive to one another, meaning you can only have one enabled at any given time. The settings that you should configure will depend on how your talent acquisition team manages the collection, retention, and anonymization of personally identifiable candidate information. This article describes the differences between the two settings, so you can choose the one that best suits your organization, and provides instructions on how to enable each option.

To learn more about the different data privacy settings, refer to the following help articles:

Differences in data management for Data compliance and GDPR

Refer to the table below for a breakdown of how personally identifiable candidate information is collected, retained, and anonymized when either 'Data compliance by location' or 'GDPR' settings are enabled.

  GDPR Data Compliance by Location (DCL) Before Fall 2023 Release  Data Compliance by Location (DCL) Fall 2023 Release 
Can be enabled and configured by... Super Admin Super Admin, Admin Super Admin, Admin
Location is determined by... The candidate's IP address. The location of the posting associated with the candidate's opportunity. The location of the posting associated with the candidate's opportunity.
Lawful basis is determined by... A singular policy set at an account level. A policy level (country-by-country). Purpose level: storage and marketing are separated so that candidates can provide individual responses based on your company's configuration.
Lawful basis: Legitimate interest
Candidate data is retained based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Anonymization reminders are sent based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Consent links are sent based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
The Privacy Policy notice is... Included at the bottom of the application. Included at the bottom of the application.

Included at the bottom of the application if Legitimate Interest is enabled for storage.

Lawful basis: Candidate/Explicit Consent 

With the 2023 Fall update, ‘Candidate Consent’ will be called ‘Explicit Consent.’ This aligns with the legal terminology that is commonly used and is more reflective of what is being asked of the candidate.

Candidate consent is captured based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Consent refresh reminders are sent based on...
The jurisdiction and retention period configured in GDPR settings

For more detail, see our help article on collecting candidate consent for data retention.
Country-specific retention period*

For more detail, see our help article on collecting candidate consent for data retention.
Country-specific retention period*

For more detail, see our help article on collecting candidate consent for data retention.
Application page reflects... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
For candidates with multiple opportunities in different locations... Consent is extended based on the the retention period configured in GDPR settings. Consent is extended based on the shortest retention period configured for all applicable countries Consent is extended based on the shortest retention period configured for all applicable countries
Providing consent for storage

Candidates do not have the opportunity to consent to storage. The only way to revoke storage consent is be sent an email through the Lever system (consent link), and update their preferences in the data-requests tab (submit a request for removal).

Candidates are prompted to provide or revoke consent for marketing and storage collectively. Both their marketing and storage consents are updated and kept in sync.

The two types of consent are differentiated in the text that prompts the candidate to provide consent, but the consent types cannot be updated separately.

The consent checkbox is optional.

If Explicit Consent is enabled for storage, the associated checkbox will be required to submit the application.

This is because the basis behind using Explicit Consent is that in order to legally store and process the candidate’s data, you must obtain their clear, explicit consent first.

The consent checkbox is required.

Providing consent for marketing

Candidates can provide consent for marketing.

The consent checkbox is optional.

If Explicit Consent is enabled for marketing, the associated checkbox will be optional.
Behavior of Retention Period & Anonymization
Candidate anonymization can be completed...

Via a candidate's profile or pipeline bulk action by any user with access to the corresponding profile(s). The pipeline can be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

See our help article on candidate anonymization for more detail.

Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline cannot be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

By Super Admins and Admins via the 'Candidate Data' tab on the Data compliance setting page.

See our help article on candidate anonymization for more detail.

Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline cannot be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

By Super Admins and Admins via the 'Candidate Data' tab on the Data compliance setting page.

See our help article on candidate anonymization for more detail.
When a candidate's opportunity is anonymized... All personally identifiable candidate data fields will be anonymized on the frontend and backend of the system.

All personally identifiable candidate data fields will be anonymized on the frontend of the system

Only those fields selected for anonymization as per the country-specific configuration will be anonymized on the backend of the system.

All personally identifiable candidate data fields will be anonymized on the frontend of the system

Only those fields selected for anonymization as per the country-specific configuration will be anonymized on the backend of the system
Number of retention periods permitted

One for Legitimate interest, two for Candidate Consent.

One per country retention period PER country regardless of the lawful basis. One retention period PER country regardless of the lawful basis. Anonymization is based on the opportunity’s storage status.
Retention period for Legitimate Interest Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived. Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived. Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Retention period for Candidate Consent / Explicit Consent

Starts when the candidate enters the system. This means it is possible for a candidate's consent to expire before their opportunity is archived. If a candidate still has an active opportunity and their consent expires, they need to be anonymized until they are archived.

The Candidate Consent setting also enables you to set an additional retention period. This retention period is added on to the candidate’s original consent period if they have provided consent and it has not expired yet. Otherwise, the additional retention period functions the same as the Legitimate Interest retention period and begins upon archival.

Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Updating Retention Period
Updating a retention period… CAN have a retroactive effect. DOES have a retroactive effect. CAN have a retroactive effect.
The storage consent retention period…

If the store retention period is modified after candidates have already entered the Lever system, those candidates ARE affected.

i.e., if the storage time was set to 2 years and later gets extended to 3 years, candidates will be stored according to the updated policy of 3 years.

If the consent retention period is modified after candidates have already consented, those candidates ARE affected. This affects both marketing and store consent because the two are treated as the same under the compliance policy system.

i.e., if a candidate consented for 2 years and the company later changes their retention policy to 3 years, the candidate’s consent will be updated to expire according to the new 3 year policy. 

It is possible for a candidate’s data to be retained for longer than they had consented to, and for the candidate to be contacted past the period that they consented to.

If the consent retention period is modified after candidates have already consented, those candidates ARE NOT affected. Historical candidates added before the Fall 2023 update ARE affected.

 

i.e., if a candidate consented to be contacted for 2 years and the company later changes their policy to 3 years, the candidate's consent will still expire after 2 years.


If a candidate applied under a Legitimate Interest policy, their retention period will match the current retention period for that policy. Those candidates ARE affected.

The marketing consent retention period…

If the marketing consent retention period is modified after candidates have already consented, those candidates are NOT affected.

i.e., if a candidate consented to be contacted for 2 years and the company later changes their policy to 3 years, the candidate's consent will still expire after 2 years.

* Provided the candidate's opportunity is linked to a posting with a location for which a compliance policy applies

Enabling Data compliance by location and GDPR

Important note regarding the December 2022 product update

In December 2022, a product update removed the ability for Lever environments to have both 'Data compliance' and 'GDPR' settings enabled at the same time. Following the release of this update, a Lever environment can only have either the 'Data compliance' setting enabled or the 'GDPR' setting enabled, but not both. If you had both 'Data compliance' and 'GDPR' enabled prior to December 2022, the 'Data compliance' setting will have been disabled with the release of the product update and your Lever environment will have reverted to solely relying upon your GDPR configuration to manage data collection, retention, and anonymization. Any country-specific data retention periods that you configured in your 'Data compliance' setting prior to December 2022 will have been saved. To restore your country-specific data retention periods, re-enable the 'Data compliance' setting (instructions below).

Enabling Data compliance by location

To enable the the 'Data compliance' setting:

DATA COMPLIANCE.png

If you have GDPR enabled in your Lever environment, the data compliance toggles on this settings page will be greyed out and inaccessible. In order to enable country-specific data compliance settings, you must first disable GDPR. To disable GDPR:

  • Navigate to Settings > Company > Compliance
  • Click Edit configuration on the GDPR policy summary tile
  • In the GDPR policy editor, click the ellipses (⋯) button and select Disable GDPR

Close up of GDPR policy editor with 'Disable GDPR' option extending from ellispses button

  • In the popover, type the word "Disable" in the text field and click the Disable GDPR button

Enabling GDPR

 

If you had GDPR enabled prior to the December 2022 product update, it will have remained enabled following the release of the update.

To enable GDPR:

  • Navigate to Settings > Company > Compliance
  • Click the Setup GDPR button. This will open the GDPR policy editor, in which you can configure your GDPR policy. For more details on GDRP setup, refer to our help article on configuring GDPR settings.

Compliance page in Company settings with close up on 'Setup GDPR' button.

If you have any country-specific data compliance configurations enabled at the time that you set up GDPR, those configurations will be automatically disabled once GDPR is enabled.

Was this article helpful?
0 out of 0 found this helpful