How do I configure Lever for GDPR compliance?

Please note: The following features will be rolled out gradually before May 25th to all accounts.

Please note: This article describes how to configure GDPR settings in Lever to support your company’s compliance needs. For help determining which configuration settings are best for your business, it is best to consult legal counsel.

Lever is committed to providing flexible tools to allow our customers to configure our GDPR features to best meet their compliance needs. If the GDPR does not apply to you, then no need to set anything up! This article shows how to configure Lever to support GDPR compliance by:

  • Collecting upfront consent from candidates when they apply & providing notice
  • Setting how long you want to keep candidate data
  • Surfacing consent status on the candidate profile

Before May 25th, we’ll release additional features to support:

  • Bulk refreshing consent before candidates expire
  • Bulk anonymizing candidates based on consent expiration
  • Candidate’s request to delete the information
  • Candidate’s request to not be contacted
  • Candidate’s request to view their information
  • Candidate’s request to rectify their information


All of these are configured through one single flow in Lever. To set up your account for GDPR compliance, start by navigating to the Company Settings page:

GDPR_Project_1.pngClick on the ‘Compliance’ tab to be brought to the General Data Protection Regulation section. From there, click ‘Setup GDPR’ to being the process.

1. Who is protected?


First, you’ll need to specify which candidates to apply GDPR protections to. Your three options are:

- Only candidates located in the EU
- Candidates located in the EU and unknown locations
- All candidates (regardless of their current location)

For GDPR purposes, Lever uses IP address geo-locating to determine where candidates are when they submit their application. This information is then used to determine if they are in the EU, and apply your settings accordingly. Candidates that do not apply through a job posting (i.e. are sourced, referred, or manually added) likely will not have a location set on their profile, and anyone with access to the profile will be able to set this value on the candidate profile itself.

Tip: If no location is detected, they’ll fall into the “Unknown locations” category. You may want to reach out to these candidates to explicitly get consent to process their data

Once you’ve set who the GDPR protections apply to, you’re ready to define what those protections actually are.

2. How do I collect consent, and how long does it last for?


This setting determines how long the consent you gather from candidates lasts for. This time starts the moment the candidate provides consent, and ends when your set timeframe expires. The text to the right of the consent checkbox on the posting’s application page will display the timeframe:


If a candidate applies when you have Lever set to store consent for a specific timeframe, changing your settings will not impact the retention time for that candidate. Any settings changes will not retroactively update candidates who have already given their consent.

Please note: Once a candidate’s consent has expired, Lever will allow you to quickly identify those candidates, and either delete them or refresh their consent by reaching out. These features will be released later.

3. How do I add a privacy policy to my job postings?


Next, you’ll be prompted to add the URL for your privacy policy that will serve as notice of your processing activities. For further guidance, here’s a helpful article about Privacy policies under the GDPR.

Here’s a screenshot of what your job posting applications will look like once you’ve set your consent timeframe and privacy policy link:


4. How long do I keep candidate data after consent expires?


Finally, it’s time to set the data retention timeframe. This can be a bit confusing as it is different from the consent timeframe. Once a candidate’s consent timeframe lapses, or they are archived, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.

If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into your GDPR configuration settings.

Under “Data retention”, simply click into the “Additional retention period” dropdown, and select one of the options. At the end of this timeframe, the candidates will be surfaced to a user for action.


Now you're all set! For more information how the consent status displays with the candidate profile, see: How do I see a candidate’s consent status on the candidate profile?

Have more questions? Submit a request
Powered by Zendesk