Configuring data retention settings by country

Follow
Available for User roles Super Admin
Packages All packages

 

The ability to configure field-specific anonymization by country referenced in this article, is part of the Fall 2022 Product Release, scheduled for progressive rollout starting in late October 2022. For more information on the Fall 2022 release, keep an eye on our Product Release Notes.

Hiring talent from across the world requires compliance with a global range of data handling regulations. Lever provides flexibility when it comes to localizing data retention periods by allowing you to configure when anonymization of candidate data should occur based on the location of the jobs for which they apply. Readers of this article will learn about:

Why data retention settings need to be localized

Data handling regulations can vary by country. Retaining a candidate's data in your system for longer than is allowed by local regulations could result in a breach of compliance. The data retention periods that you define in your Lever environment along the categories of information that you retain post-anonymization should comply with the regulations in the different countries in which you are hiring. 

Configuring data retention settings by country

 

Localized data retention settings can only be configured by users with Super Admin access.

To configure data retention settings for your Lever environment:

  • Navigate to Settings > Data compliance
  • On the 'Data Compliance' page, you will see the list of countries defined in your company settings.
    • To make changes to the countries for which you can configure data retention periods, navigate to Settings > Company > Location.

Data Compliance page in Lever Settings

  • To enable a custom data retention settings for a specific country, move the toggle next to the listed country name to the 'on' position.
  • If you have enabled GDPR in your Lever environment, you will be prompted to first confirm the lawful basis under which data for inactive candidates is handled - candidate consent or legitimate interest.
    • If lawful basis is set to 'Candidate consent,' candidates will be prompted to provide explicit consent to the storage of their data in your system.
    • If lawful basis is set to 'Legitimate interest,' candidates do not need to consent to the storage of their data in your system. The decision to store inactive candidate data on the basis of legitimate interest is typically a decision made by an organization's legal team.

Data retention configuration tile for Canada; lawful basis menu expanded.

 

Lawful basis is a global setting that is configured in the 'Compliance' section of your company settings (Company > Settings > Compliance). Changing the lawful basis on the 'Data compliance' page when defining the data retention settings for an individual country will change the lawful basis for all countries. To learn more about how lawful basis is configured at the global level, refer to our GDPR configuration help article. A more detailed description of the relationship between localized data retention settings and GDPR settings is included at the end of this article.
  • Below the lawful basis field, you can define the data retention period for that specific country in years and/or months. Owners of opportunities associated with postings in that country will receive a reminder one month before the expiration period defined in this field prompting them to take one of the following actions:
    • If lawful basis is set to 'Use candidate consent,' the opportunity owner will be prompted to refresh the candidate's consent.
    • If lawful basis is set to 'Rely on legitimate interest,' the opportunity owner will be prompted to anonymize the candidate's data.

Data retention configuration tile for Canada showing retention period fields.

  • Next, specify the candidate data fields to anonymize for candidates associated with postings in the selected country. When anonymizing the profiles of candidate's associated with postings in this country, only the data fields you have selected at this step will be anonymized.

Checklist of candidate data fields to be anonymized.

  • Click the Save Changes button to lock in the data retention settings for that country.

To make changes to a country's data retention settings, click the gear icon (⚙) to the right of the country name. You can use the search bar and filter at the top of the 'Data Compliance' page to easily locate countries.

 

Localized data retention settings are based off the location of the posting to which a candidate applies, not the candidate's physical location. For example, if a candidate applies to a posting based in Belgium, but the candidate applies from an IP address in Germany, the candidate's data would be retained and anonymized in accord with the configuration set for Belgium in your data compliance settings.

Anonymizing candidate data via the data compliance settings page

From the Data compliance section in your Settings, you can also anonymize candidate data for candidates whose consent or interest has expired. To anonymize candidate data from the data compliance settings page:

  • Click the 'Candidate Data' tab on the Data Compliance page
  • On the 'Candidate Data' tab, you will see a list of candidates whose consent or interest has expired relative to the data retention periods you have set at the country level. Data retention periods configured at the global level (via Settings > Company > Compliance) have no bearing on the candidates that appear on this list.
    • Each row in the list represents an individual opportunity. You may see the same candidate appear multiple times in the list if they have multiple opportunities in need of anonymization. Each of a candidate's opportunities will need to be anonymized in order for the candidate to be considered fully anonymized.

Candidate date page in Data compliance settings showing list of candidate opportunities in need of anonymization.

  • To anonymize an individual candidate, click Anonymize to the right of their name in the list. In the modal that appear, click the Anonymize candidate data button to complete the action. The candidate's information will be anonymized in accord with the field anonymization settings for the country of the posting associated with their opportunity (see above).

Anonymization confirmation modal with Anonymize candidate data button.

  • To anonymize candidates in bulk, select the checkboxes next to the names of the candidates you wish to anonymize and click the Anonymize candidates button that appears at the top of the list. Click the Anonymize candidate data button to complete the action.

Multiple opportunities selecting in candidate data list; anonymize candidates button appears above list.

Use the search bar at the 'Candidates data' page to easily locate specific candidates in need of anonymization. You can also filter the list by country and time range to prioritize different cohorts of candidates for anonymization.

How localized data retention periods work with GDPR settings

Lawful basis and data retention are defined at the global level under your Lever environment's GDPR settings, which can be found by navigating to Settings > Company > Compliance. The GDPR configuration provides the default data retention period for candidates in your Lever database to which you have set GDPR to apply (all candidates, candidates and jobs located in the EU, or candidates and jobs located in the EU as well as unknown locations).

Close-up of GDPR configuration field with application menu expanded.

The country-specific data retention period defined in your data compliance settings (which can be found by navigating to Settings > Data compliance) supersedes the data retention period configured in your GDPR settings for opportunities associated with postings based in that country.

Changing the lawful basis when defining the data retention period for a single country in your data compliance settings will change the lawful basis in your GDPR settings, meaning it will extend to all opportunities to which GDPR is configured to apply. For example, if you where to change the lawful basis from 'Candidate consent' to 'Candidate interest' when setting the data retention period for Canada, the lawful basis for all GDPR-applicable opportunities would become 'Candidate interest.'

Was this article helpful?
0 out of 0 found this helpful