| Available for | Roles | Super Admin, Admin |
| Permissions | • Manage compliance settings | |
| Packages | Lever Basic, LeverTRM, LeverTRM for Enterprise |
In Lever, there two different data privacy settings: (1) Data compliance and (2) GDPR. These settings are exclusive to one another, meaning you can only have one enabled at any given time. The settings that you should configure will depend on how your talent acquisition team manages the collection, retention, and anonymization of personally identifiable candidate information. This article describes the differences between the two settings, so you can choose the one that best suits your organization, and provides instructions on how to enable each option.
To learn more about the different data privacy settings, refer to the following help articles:
- Configuring data compliance settings by country
- Configuring General Data Protection Regulation (GDPR) settings
Differences in data management for Data compliance and GDPR
Refer to the table below for a breakdown of how personally identifiable candidate information is collected, retained, and anonymized when either 'Data compliance' or 'GDPR' settings are enabled.
| Data compliance | GDPR | |
| Can be enabled and configured by... | Super Admin, Admin | Super Admin |
| Location is determined by... | The location of the posting associated with the candidate's opportunity | The candidate's IP address |
| Lawful basis: Candidate consent | ||
| Candidate consent is captured based on... | Country-specific retention period* | The jurisdiction and retention period configured in GDPR settings |
| Consent refresh reminders are sent based on... | Country-specific retention period* For more detail, see our help article on collecting candidate consent for data retention. |
The jurisdiction and retention period configured in GDPR settings For more detail, see our help article on collecting candidate consent for data retention. |
| Application page reflects... | Country-specific retention period* | The jurisdiction and retention period configured in GDPR settings |
| For candidates with multiple opportunities in different locations... | Consent is extended based on the shortest retention period configured for all applicable countries | Consent is extended based on the the retention period configured in GDPR settings |
| Lawful basis: Legitimate interest | ||
| Candidate data is retained based on... | Country-specific retention period* | The jurisdiction and retention period configured in GDPR settings |
| Anonymization reminders are sent based on... | Country-specific retention period* | The jurisdiction and retention period configured in GDPR settings |
| Unsubscribe links are sent based on... | Country-specific retention period* | The jurisdiction and retention period configured in GDPR settings |
| Anonymization | ||
| Candidate anonymization can be completed... |
Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline cannot be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required. |
Via a candidate's profile or pipeline bulk action by any user with access to the corresponding profile(s). The pipeline can be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required. See our help article on candidate anonymization for more detail. |
| When a candidate's opportunity is anonymized... |
All personally identifiable candidate data fields will be anonymized on the frontend of the system |
All personally identifiable candidate data fields will be anonymized on the frontend and backend of the system |
* Provided the candidate's opportunity is linked to a posting with a location for which a compliance policy applies
Enabling Data compliance and GDPR
Important note regarding the December 2022 product update
In December 2022, a product update removed the ability for Lever environments to have both 'Data compliance' and 'GDPR' settings enabled at the same time. Following the release of this update, a Lever environment can only have either the 'Data compliance' setting enabled or the 'GDPR' setting enabled, but not both. If you had both 'Data compliance' and 'GDPR' enabled prior to December 2022, the 'Data compliance' setting will have been disabled with the release of the product update and your Lever environment will have reverted to solely relying upon your GDPR configuration to manage data collection, retention, and anonymization. Any country-specific data retention periods that you configured in your 'Data compliance' setting prior to December 2022 will have been saved. To restore your country-specific data retention periods, simply re-enable the 'Data compliance' setting (instructions below).
Enabling Data compliance
To enable the the 'Data compliance' setting:
- Navigate to Settings > Data compliance
- To configure data retention and field anonymization for a country, move the toggle next to that country's name to the 'on' position. For more details, refer to our help article on configuring localized data compliance settings.
If you have GDPR enabled in your Lever environment, the data compliance toggles on this settings page will be greyed out and inaccessible. In order to enable country-specific data compliance settings, you must first disable GDPR. To disable GDPR:
- Navigate to Settings > Company > Compliance
- Click Edit configuration on the GDPR policy summary tile
- In the GDPR policy editor, click the ellipses (⋯) button and select Disable GDPR
- In the popover, type the word "Disable" in the text field and click the Disable GDPR button
Enabling GDPR
|
|
If you had GDPR enabled prior to the December 2022 product update, it will have remained enabled following the release of the update. |
To enable GDPR:
- Navigate to Settings > Company > Compliance
- Click the Setup GDPR button. This will open the GDPR policy editor, in which you can configure your GDPR policy. For more details on GDRP setup, refer to our help article on configuring GDPR settings.
If you have any country-specific data compliance configurations enabled at the time that you set up GDPR, those configurations will be automatically disabled once GDPR is enabled.