Understanding the difference between Data compliance and GDPR settings

Follow
Available for Roles Super Admin, Admin
Permissions • Manage compliance settings
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise

 

This article depicts and describes Lever's Automated Candidate Anonymization and Hired Candidate Anonymization enhancements included in the Fall 2024 Product Release, scheduled to rollout progressively in October and November 2024. For release information, refer to our Fall 2024 Product Release Notes.

In Lever, there two different data privacy settings: (1) Data compliance and (2) GDPR. These settings are exclusive to one another, meaning you can only have one enabled at any given time. The settings that you should configure will depend on how your talent acquisition team manages the collection, retention, and anonymization of personally identifiable candidate information. This article describes the differences between the two settings, so you can choose the one that best suits your organization, and provides instructions on how to enable each option.

To learn more about the different data privacy settings, refer to the following help articles:

Refer to the table below for a breakdown of how personally identifiable candidate information is collected, retained, and anonymized when either 'Data compliance by location' or 'GDPR' settings are enabled.

  GDPR Data Compliance by Location (Fall 2023 Release) Data Compliance by Location (Before Fall 2023 Release)
Can be enabled and configured by... Super Admin, Admin Super Admin, Admin Super Admin, Admin
Location is determined by... The candidate's IP address. The location of the posting associated with the candidate's opportunity. The location of the posting associated with the candidate's opportunity.
Lawful basis is determined by... A singular policy set at an account level. Purpose level: storage and marketing are separated so that candidates can provide individual responses based on your company's configuration. A policy level (country-by-country).
Lawful basis: Legitimate interest
Candidate data is retained based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Anonymization reminders are sent based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Consent links are sent based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
The Privacy Policy notice is... Included at the bottom of the application.

Included at the bottom of the application.

Included at the bottom of the application.
The consent statement is... Not customizable.

Customizable for storage purposes only. 

Not customizable.

Lawful basis: Candidate/Explicit Consent 

With the 2023 Fall update, ‘Candidate Consent’ will be called ‘Explicit Consent.’ This aligns with the legal terminology that is commonly used and is more reflective of what is being asked of the candidate.

Candidate consent is captured based on... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
Consent refresh reminders are sent based on... The jurisdiction and retention period configured in GDPR settings.

For more detail, see our help article on collecting candidate consent for data retention.
Country-specific retention period*

For more detail, see our help article on collecting candidate consent for data retention.
Country-specific retention period*

For more detail, see our help article on collecting candidate consent for data retention.
Application page reflects... The jurisdiction and retention period configured in GDPR settings. Country-specific retention period* Country-specific retention period*
For candidates with multiple opportunities in different locations... Consent is extended based on the the retention period configured in GDPR settings. Consent is extended based on the shortest retention period configured for all applicable countries. Consent is extended based on the shortest retention period configured for all applicable countries.
Providing consent for storage

Candidates do not have the opportunity to consent to storage. The only way to revoke storage consent is be sent an email through the Lever system (consent link), and update their preferences in the data-requests tab (submit a request for removal).

If Explicit Consent is enabled for storage, the associated checkbox will be required to submit the application.

This is because the basis behind using Explicit Consent is that in order to legally store and process the candidate’s data, you must obtain their clear, explicit consent first.

The consent checkbox is required.

Candidates are prompted to provide or revoke consent for marketing and storage collectively. Both their marketing and storage consents are updated and kept in sync.

The two types of consent are differentiated in the text that prompts the candidate to provide consent, but the consent types cannot be updated separately.

The consent checkbox is optional.

Providing consent for marketing

Candidates can provide consent for marketing.

The consent checkbox is optional.

If Explicit Consent is enabled for marketing, the associated checkbox will be optional.
The Privacy Policy notice is... Included at the bottom of the application.

Included at the bottom of the application.

Included at the bottom of the application.
The consent statement is... Not customizable.

Customizable for storage AND for future job opportunity (marketing) purposes. 

Not customizable.
Behavior of Retention Period & Anonymization
Candidate anonymization can be completed...

Via a candidate's profile or pipeline bulk action by any user with access to the corresponding profile(s). The pipeline can be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

See our help article on candidate anonymization for more detail.

Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline can be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.


By Super Admins and Admins via the 'Candidate Data' tab on the Data compliance setting page.


Automatically, by configuring auto-anonymization under the appropriate policy on the Data compliance settings page.


See our help article on candidate anonymization for more detail.

Via a candidate's profile by any user with access to the corresponding profile(s). The pipeline cannot be filtered for opportunities in need of anonymization based on consent status and the amount of time until anonymization is required.

By Super Admins and Admins via the 'Candidate Data' tab on the Data compliance setting page.

See our help article on candidate anonymization for more detail.

When a candidate's opportunity is anonymized... All personally identifiable candidate data fields will be anonymized on the frontend and backend of the system. All personally identifiable candidate data fields will be anonymized on the frontend of the system

Only those fields selected for anonymization as per the country-specific configuration will be anonymized on the backend of the system.

All personally identifiable candidate data fields will be anonymized on the frontend of the system

Only those fields selected for anonymization as per the country-specific configuration will be anonymized on the backend of the system.

Number of retention periods permitted

One for Legitimate interest, two for Candidate Consent.

One retention period PER country regardless of the lawful basis. Anonymization is based on the opportunity’s storage status. One per country retention period PER country regardless of the lawful basis.
Retention period for Legitimate Interest Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived. Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived. Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Retention period for Candidate Consent / Explicit Consent

Starts when the candidate enters the system. This means it is possible for a candidate's consent to expire before their opportunity is archived. If a candidate still has an active opportunity and their consent expires, they need to be anonymized until they are archived.

The Candidate Consent setting also enables you to set an additional retention period. This retention period is added on to the candidate’s original consent period if they have provided consent and it has not expired yet. Otherwise, the additional retention period functions the same as the Legitimate Interest retention period and begins upon archival.

Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Starts once the opportunity is archived meaning the opportunity will need to be anonymized X time period from when they were archived.

Updating Retention Period
Updating a retention period… CAN have a retroactive effect. CAN have a retroactive effect. DOES have a retroactive effect.
The storage consent retention period…

If the store retention period is modified after candidates have already entered the Lever system, those candidates ARE affected.

i.e., if the storage time was set to 2 years and later gets extended to 3 years, candidates will be stored according to the updated policy of 3 years.

If the consent retention period is modified after candidates have already consented, those candidates ARE NOT affected. Historical candidates added before the Fall 2023 update ARE affected.

 

i.e., if a candidate consented to be contacted for 2 years and the company later changes their policy to 3 years, the candidate's consent will still expire after 2 years.


If a candidate applied under a Legitimate Interest policy, their retention period will match the current retention period for that policy. Those candidates ARE affected.

If the consent retention period is modified after candidates have already consented, those candidates ARE affected. This affects both marketing and store consent because the two are treated as the same under the compliance policy system.

i.e., if a candidate consented for 2 years and the company later changes their retention policy to 3 years, the candidate’s consent will be updated to expire according to the new 3 year policy. 

It is possible for a candidate’s data to be retained for longer than they had consented to, and for the candidate to be contacted past the period that they consented to.

The marketing consent retention period…

If the marketing consent retention period is modified after candidates have already consented, those candidates are NOT affected.

i.e., if a candidate consented to be contacted for 2 years and the company later changes their policy to 3 years, the candidate's consent will still expire after 2 years.

 

* Provided the candidate's opportunity is linked to a posting with a location for which a compliance policy applies

Important note regarding the December 2022 product update

In December 2022, a product update removed the ability for Lever environments to have both 'Data compliance' and 'GDPR' settings enabled at the same time. Following the release of this update, a Lever environment can only have either the 'Data compliance' setting enabled or the 'GDPR' setting enabled, but not both. If you had both 'Data compliance' and 'GDPR' enabled prior to December 2022, the 'Data compliance' setting will have been disabled with the release of the product update and your Lever environment will have reverted to solely relying upon your GDPR configuration to manage data collection, retention, and anonymization. Any country-specific data retention periods that you configured in your 'Data compliance' setting prior to December 2022 will have been saved. To restore your country-specific data retention periods, re-enable the 'Data compliance' setting (instructions below).

Was this article helpful?
0 out of 0 found this helpful