Configuring data compliance settings

Follow
Available for Roles Super Admin, Admin
Permissions • (To configure settings) View and edit compliance settings
• (To anonymize) Anonymize candidates
Packages Lever Basic, LeverTRM, LeverTRM for Enterprise

 

This article depicts and describes Lever's Custom Compliance Verbiage enhancement scheduled to rollout progressively in September 2024. For release information, refer to our Summer 2024 Product Release page.

Hiring talent from across the world requires compliance with a global range of data handling regulations. Lever provides flexibility when it comes to data retention and anonymization policies by allowing you to configure if and how candidate data is anonymized based on the location of the jobs for which they apply as well as the aspects of your compliance settings that apply to all candidates regardless of location.


Configuring data compliance settings by location

Data handling regulations can vary by country. Retaining a candidate's data in your system for longer than is allowed by local regulations could result in a breach of compliance. The data retention periods that you define in your Lever environment along with the categories of information that you retain post-anonymization should comply with the regulations in the different countries in which you are hiring. To configure local data compliance settings for your Lever environment:

  • Navigate to Settings > Data compliance
  • On the 'Data Compliance' page, you will see the list of countries defined in your company settings.
    • To make changes to the countries for which you can configure data compliance policies, navigate to Settings > Company > Locations.
  • To enable a custom data compliance policy for a specific country, move the toggle next to the listed country name to the 'on' position.
    • For multi-location postings, data compliance will follow the policy of the country of the posting's primary location. Refer to our help article on creating and managing multi-location postings for how to set primary and secondary locations.

Data Compliance page in Lever Settings

  • Confirm the lawful basis under which data is stored for inactive candidates - Legitimate interest or Explicit Consent.
    • If lawful basis is set to 'Legitimate interest,' candidates do not need to consent to the storage of their data in your system and the Privacy Policy notice will appear on the bottom of the application. The decision to store inactive candidate data on the basis of legitimate interest is typically a decision made by an organization's legal team.
    • If lawful basis is set to 'Explicit consent,' candidates will be prompted to provide explicit consent to the storage of their data in your system in order to submit their application .

Lever data compliance settings showing Canada settings with arrow pointing to Storage section.

 

If the lawful basis for a country's data compliance policy is changed from 'Legitimate interest' to 'Explicit consent,' any candidates associated with postings based in that country that were brought into Lever when the country's lawful basis was 'Legitimate interest' will be marked as not having provided consent. You will need to contact these candidates directly in order to collect their consent. Refer to our help article on collecting candidate consent for data retention to learn more.
  • Confirm the lawful basis under which data usage is handled for contacting candidates about future job opportunities - Legitimate interest or Explicit Consent.
    • If lawful basis is set to 'Legitimate interest,' candidates do not need to consent to the usage or their data in your system for future opportunities; there will be no additional question on the application regarding future job opportunities. 
    • If lawful basis is set to 'Explicit consent,' the applicant will have the option to either provide or revoke consent for contact about future job opportunities once archived.

Lever data compliance settings showing Canada settings with arrow pointing to Future job opportunities outreach section

  • In the Retention period section, you can define the data retention period for that specific country in years and/or months. Owners of opportunities associated with postings in that country will receive a reminder one month before the expiration period defined in this field prompting them to take one of the following actions:
    • If lawful basis is set to 'Legitimate interest' the opportunity owner will be prompted to anonymize the candidate's data.
    • If lawful basis is set to 'Explicit consent,' the opportunity owner will be prompted to refresh the candidate's consent.

Lever data compliance settings showing Retention period in Canada settings with arrow pointing to years and months fields.

  • If you would like to customize your compliance statement for data storage or marketing purposes for the selected country: 
    • Next to the job application preview, click edit consent statement.
    • For storage purposes, the statement can be customized for either legal basis.
    • For future job opportunities or marketing outreach, the statement can only be customized if the legal basis is 'Explicit consent.'

Lever data compliance settings showing where to edit localized consent statements.

  • The following customization options are available:
    • Placeholders for company name, retention period, and privacy policy.
    • Embedded links.
  • You can reset to the default statement at any time by clicking reset to default.

Custom consent statement editor with customization settings.

  • Once the statements are customized, click Save changes

 

Remember to save your location policy to maintain these changes. If your compliance statements are saved but the location policy for that location is not, then your updates will not be saved.  
  • Next, specify the candidate data fields to anonymize for candidates associated with postings in the selected country. When anonymizing the profiles of candidate's associated with postings in this country, only the data fields you have selected at this step will be anonymize.

Lever data compliance settings showing Anonymization settings with parameters selected.

  • Click the Save Changes button to lock in the data compliance settings for that country.

To make changes to a country's data compliance settings, click the gear icon (⚙) to the right of the country name. You can use the search bar and filter at the top of the 'Data Compliance' page to easily locate countries.

 

Localized data compliance settings are based off the location of the posting to which a candidate applies, not the candidate's physical location. For example, if a candidate applies to a posting based in Belgium, but the candidate applies from an IP address in Germany, the candidate's data would be retained and anonymized in accord with the configuration set for Belgium in your data compliance settings.

Configuring global data compliance settings

To configure global data compliance settings:

  • Navigate to Settings > Data compliance
  • Select the 'Global Settings' tab
  • From the global settings page, you can configure the following settings:
    • Retention - Input a link to your organization's privacy policy. In countries in which you have configured lawful basis as 'Explicit consent,' the privacy policy will be linked on application forms beneath the checkbox that applicants must select to opt-in to being contacted about future jobs. You can view a preview of how this checkbox will appear on your organization's application forms beneath the privacy policy field.

Retention configuration section of global data compliance settings page

    • Anonymization - Select how you would like Lever to handle candidate emails once they have been anonymized. Selecting the option to not store a candidate's email address as a hashed value will result in complete and permanent deletion of candidates' email addresses when they are anonymized. Storing a candidate's email as a hashed value keeps the candidate's email on file in an unreadable format, and will only ever resurface if a new opportunity is created with the same email address in association with a candidate that previously requested the deletion of their data. For a more detailed breakdown, refer to our help article on anonymizing opportunities.

Anonymization section of global data compliance settings page with radio buttons to configure whether or not hashed values of anonymized candidate email addresses are stored.

    • Cookies - Cookie acceptance banners are pop-up notifications that appear on a user's first visit to a web page. The configuration of your job site cookie banner determines how much control visitors to your job site have over cookies placed on their device. To enable and configure the cookie banner for your Lever job site:
      • Move the 'Enable cookie banner' toggle to the on (blue) position

Cookie banner configuration tile

      • Select the type of cookie banner that you wish to appear on your job site
        • Opt-in: this type of of banner will asks visitors to your job site to accept or deny the deployment of non-essential cookies; visitors must accept or deny cookies in order to dismiss the banner

Opt in cookie banner

        • Informational: this type of banner discloses to visitors of your job site that the job site will deploy cookies when they use the site; the banner also contains an option to dismiss

Informational cookie banner

      • On the cookie banner configuration tile, you have the option to add a link to your organization's cookie policy, which will be hyperlinked in the banner; if you wish to do so, select the checkbox and input into the field
        • It is not required that you add a link, however it is best practice to include one so that visitors to your job site have an accurate and specific reference as to the data your organization is tracking.
        • The URL for your organization's cookie policy must in in the format: htts://sitename.com
  • Click the Save Changes button

Anonymizing candidate data (via 'Data compliance' settings)

From the Settings > Data compliance page, you can also anonymize candidate data for candidates whose consent or interest has expired. To anonymize candidate data from the data compliance settings page:

  • Click the 'Candidate data' tab on the Data compliance page
  • On the 'Candidate data' tab, you will see a list of candidates whose consent or interest has expired relative to the data retention periods you have set at the country level.
    • Each row in the list represents an individual opportunity. You may see the same candidate appear multiple times in the list if they have multiple opportunities in need of anonymization. Each of a candidate's opportunities will need to be anonymized in order for the candidate to be considered fully anonymized.

Candidate data page in Data compliance settings showing list of candidate opportunities in need of anonymization.

  • To anonymize an individual candidate, click Anonymize to the right of their name in the list. In the modal that appears, click the Anonymize candidate data button to complete the action. The candidate's information will be anonymized in accord with the field anonymization settings for the country of the posting associated with their opportunity (see above).

Anonymization confirmation modal with Anonymize candidate data button.

  • To anonymize candidates in bulk, select the checkboxes next to the names of the candidates you wish to anonymize and click the Anonymize candidates button that appears at the top of the list. Click the Anonymize candidate data button to complete the action.

Multiple opportunities selected in candidate data list; anonymize candidates button appears above list.

You can filter the list by country and time range to prioritize different cohorts of candidates for anonymization.

How data compliance works with GDPR settings

As an alternative to the data privacy settings configurable via the Settings > Data compliance page, Lever also supports the ability to manage data privacy by way of a globally-applied GDPR policy (enabled via Settings > Company > Compliance). This option allows you to configure a single data retention period for all candidates within one of the following jurisdictions:

  • Only candidates and jobs location in the EU
  • Candidates and jobs located in the EU and unknown locations
  • All candidates (regardless of their current location)

Unlike the data compliance settings, GDPR settings determine location based on the IP address of the candidate (not the location of the job posting to which their opportunity is associated). The 'Data compliance' and 'GDPR' settings are exclusive to one another, meaning you can only have one enabled in your Lever environment at any given time. If you have GDPR enabled in your Lever environment, you will be required to disable it before you can configure data compliance settings as described above. To learn more, refer to our help article on the difference between Data compliance and GDPR settings.

Was this article helpful?
0 out of 0 found this helpful