How do I configure Lever for GDPR compliance?

Available for User roles Can only be configured by Super Admins
Products All plan types, free of charge

Please note: This article describes how to configure GDPR settings in Lever to support your company’s compliance needs. For help determining which configuration settings are best for your business, it is best to consult legal counsel.

Lever is committed to providing flexible tools to allow our customers to configure our GDPR features to best meet their compliance needs. If the GDPR does not apply to you, then no need to set anything up! This article shows how to configure Lever to support GDPR compliance by:

  • Collecting upfront consent from candidates when they apply & providing notice of processing activities
  • Setting how long you want to keep candidate data
  • Surfacing consent status on the candidate profile
  • Choosing to rely on legitimate interest instead of consent

Once set up, you'll be collecting consent from candidate, and will be able to:

Configuration

All of these are configured through one tab in Lever. To set up your account for GDPR compliance, start by navigating to the Company Settings page:

GDPR_Project_1.pngClick on the "Compliance" tab to be brought to the General Data Protection Regulation section. From there, click "Setup GDPR" to being the process.

1. Who is protected?

Screen_Shot_2018-03-21_at_5.09.42_PM.png

First, you’ll need to specify which candidates to apply GDPR protections to. Your three options are:

- Only candidates located in the EU
- Candidates located in the EU and unknown locations
- All candidates (regardless of their current location)

For GDPR purposes, Lever uses IP address geo-locating to determine where candidates are when they submit their application. This information is then used to determine if they are in the EU, and apply your settings accordingly. Candidates that do not apply through a job posting (i.e. are sourced, referred, or manually added) likely will not have a location set on their profile, and anyone with access to the profile will be able to set this value on the candidate profile itself.

Tip: If no location is detected, they’ll fall into the “Unknown locations” category. You may want to reach out to these candidates to explicitly get consent to process their data

Once you’ve set who the GDPR protections apply to, you’re ready to define what those protections actually are.

2. How do I set my lawful basis to process candidate data?

The GDPR requires that companies have a 'lawful basis' to process an individual's data. Within the context of Lever, that could be either explicit consent, or legitimate interest. Once your organization has determined which lawful basis you'll rely on, all you need to do is select the appropriate option:

Screen_Shot_2018-04-24_at_2.07.31_PM.png

Depending on your selection, navigate to the correct section below to complete setup.

Legitimate interest

Your legal team may have decided to rely on legitimate interest instead of consent. If that's the case, you'll want to select "Rely on legitimate interest" under "Lawful basis":

Screen_Shot_2018-04-24_at_2.11.29_PM.png

Once that's done, you'll need to determine how long your 'legitimate interest' lasts for. This represents the amount of time after a candidate becomes inactive. Once legitimate interest for a candidate expires, you'll be prompted to anonymize or delete their data.

After you set the expiration period, the last thing is to add in your privacy policy that will appear on your postings. The link will appear as a link just above the "Submit Application" button. For further guidance, here’s a helpful article about Privacy policies under the GDPR.

Please note: Make sure to include the https:// before your link!

Screen_Shot_2018-04-24_at_2.13.16_PM.png 

Please note: This privacy policy will also be added as a link on the 'consent link' page candidates are brought to. More here 

Now you're all set! If relying on legitimate interest, you do not need to complete the remaining steps.

Collecting consent

This setting determines how long the consent you gather from candidates lasts for:

Screen_Shot_2018-03-21_at_5.10.05_PM.png

This time starts the moment the candidate provides consent, and ends when your set timeframe expires. The text to the right of the consent checkbox on the posting’s application page will display the timeframe:

Screen_Shot_2018-03-21_at_5.10.40_PM.png

If a candidate applies when you have Lever set to store consent for a specific timeframe, changing your settings will not impact the retention time for that candidate. Any settings changes will not retroactively update candidates who have already given their consent.

Please note: If you use Lever's Postings API to power a custom jobs site, you can submit candidate consent using the 'consent' and 'ip' fields. See our Postings API documentation for more information.  

 Adding a privacy policy when collecting consent:

Next, you’ll be prompted to add the URL for your privacy policy that will serve as notice of your processing activities. It will appear directly under the checkbox asking for consent. For further guidance, here’s a helpful article about Privacy policies under the GDPR.


Screen_Shot_2018-03-21_at_5.11.01_PM.png

Please note: This privacy policy will also be added as a link on the 'consent link' page candidates are brought to. More here

Here’s a screenshot of what your job posting applications will look like once you’ve set your consent timeframe and privacy policy link:

GDPR_Project_1.3.png

Keeping data after consent expires:

Screen_Shot_2018-03-21_at_5.11.20_PM.png

If you are collecting consent, it’s time to set the data retention timeframe. This can be a bit confusing as it is different from the consent timeframe. Once a candidate’s consent timeframe lapses, or they are archived, the GDPR mandates that you can only keep the data if you have a valid legal or business reason.

If your organization determines that you do have a valid reason to preserve the data after the consent period has lapsed, you’ll need to determine how long you will keep the data and enter that into your GDPR configuration settings.

Under “Data retention”, simply click into the “Additional retention period” dropdown, and select one of the options. At the end of this timeframe, the candidates will be surfaced to a user for action.

Cookie notice

Lever will show a notice of cookies if GDPR compliance is turned on. This will also link to the privacy policy added above. This will only be visible to candidates who are detected as being protected by GDPR when they apply (based on your settings). This notice will appear at the bottom of the screen:

Screen_Shot_2018-05-18_at_1.22.12_PM.png

Now you're all set! For more information how the consent status displays with the candidate profile, see: How do I see a candidate’s consent status on the candidate profile?

Have more questions? Submit a request
Powered by Zendesk