Understanding the difference between Data compliance and GDPR settings

Follow
Available for Roles Super Admin, Admin
Permissions • Manage compliance settings
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise

In Lever, there two different data privacy settings: (1) Data compliance and (2) GDPR. These settings are exclusive to one another, meaning you can only have one enabled at any given time. The settings that you should configure will depend on how your talent acquisition team manages the collection, retention, and anonymization of personally identifiable candidate information. This article describes the differences between the two settings, so you can choose the one that best suits your organization, and provides instructions on how to enable each option.

To learn more about the different data privacy settings, refer to the following help articles:

Differences in data management for Data compliance and GDPR

Refer to the table below for a breakdown of how personally identifiable candidate information is collected, retained, and anonymized when either 'Data compliance' or 'GDPR' settings are enabled.

  Data compliance GDPR
Can be enabled and configured by... Super Admin, Admin Super Admin
Location is determined by... The location of the posting associated with the candidate's opportunity The candidate's IP address
Lawful basis: Candidate consent
Candidate consent is captured based on... Country-specific retention period* The jurisdiction and retention period configured in GDPR settings
Consent refresh reminders are sent based on... Country-specific retention period*

For more detail, see our help article on collecting candidate consent for data retention.
The jurisdiction and retention period configured in GDPR settings

For more detail, see our help article on collecting candidate consent for data retention.
Application page reflects... Country-specific retention period* The jurisdiction and retention period configured in GDPR settings
For candidates with multiple opportunities in different locations... Consent is extended based on the shortest retention period configured for all applicable countries Consent is extended based on the the retention period configured in GDPR settings
Lawful basis: Legitimate interest
Candidate data is retained based on... Country-specific retention period* The jurisdiction and retention period configured in GDPR settings
Anonymization reminders are sent based on... Country-specific retention period* The jurisdiction and retention period configured in GDPR settings
Unsubscribe links are sent based on... Country-specific retention period* The jurisdiction and retention period configured in GDPR settings
Anonymization
Candidate anonymization can be completed...

Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline cannot be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

By Super Admins and Admins via the 'Candidate Data' tab on the Data compliance setting page.

See our help article on candidate anonymization for more detail.

Via a candidate's profile or pipeline bulk action by any user with access to the corresponding profile(s). The pipeline can be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

See our help article on candidate anonymization for more detail.
When a candidate's opportunity is anonymized...

All personally identifiable candidate data fields will be anonymized on the frontend of the system

Only those fields selected for anonymization as per the country-specific configuration will be anonymized on the backend of the system

All personally identifiable candidate data fields will be anonymized on the frontend and backend of the system

* Provided the candidate's opportunity is linked to a posting with a location for which a compliance policy applies

Enabling Data compliance and GDPR

Important note regarding the December 2022 product update

In December 2022, a product update removed the ability for Lever environments to have both 'Data compliance' and 'GDPR' settings enabled at the same time. Following the release of this update, a Lever environment can only have either the 'Data compliance' setting enabled or the 'GDPR' setting enabled, but not both. If you had both 'Data compliance' and 'GDPR' enabled prior to December 2022, the 'Data compliance' setting will have been disabled with the release of the product update and your Lever environment will have reverted to solely relying upon your GDPR configuration to manage data collection, retention, and anonymization. Any country-specific data retention periods that you configured in your 'Data compliance' setting prior to December 2022 will have been saved. To restore your country-specific data retention periods, simply re-enable the 'Data compliance' setting (instructions below).

Enabling Data compliance

To enable the the 'Data compliance' setting:

Data compliance settings page

If you have GDPR enabled in your Lever environment, the data compliance toggles on this settings page will be greyed out and inaccessible. In order to enable country-specific data compliance settings, you must first disable GDPR. To disable GDPR:

  • Navigate to Settings > Company > Compliance
  • Click Edit configuration on the GDPR policy summary tile
  • In the GDPR policy editor, click the ellipses (⋯) button and select Disable GDPR

Close up of GDPR policy editor with 'Disable GDPR' option extending from ellispses button

  • In the popover, type the word "Disable" in the text field and click the Disable GDPR button

Enabling GDPR

 

If you had GDPR enabled prior to the December 2022 product update, it will have remained enabled following the release of the update.

To enable GDPR:

  • Navigate to Settings > Company > Compliance
  • Click the Setup GDPR button. This will open the GDPR policy editor, in which you can configure your GDPR policy. For more details on GDRP setup, refer to our help article on configuring GDPR settings.

Compliance page in Company settings with close up on 'Setup GDPR' button.

If you have any country-specific data compliance configurations enabled at the time that you set up GDPR, those configurations will be automatically disabled once GDPR is enabled.

Was this article helpful?
0 out of 0 found this helpful