Skip to Content
Technical Articles
Author's profile photo Antonio Pellegrino

DPCS 2.0: SAP SuccessFactors Recruiting

Overview

Today’s increasingly regulated world requires companies to balance legal and business aspects against Data Privacy requirements to purge data when it’s no longer needed for a business purpose. This requirement is becoming even more important now with General Data Protection Regulation (GDPR) imposing new rules in the market.
It is interesting to see how these requirements can be met within the SAP SuccessFactors Recruiting solution, starting with the definition of DPCS-Data Privacy Consent Statement:

The Data Privacy Consent Statement allows customers to present a candidate with a notification detailing how the customer handles the candidate’s personal data. Candidates must accept this statement before entering their data.

There are still two versions of the Data Privacy Consent Statement configuration:

  • DPCS 1.0 allows the customer to provide data privacy prompt for internal and external candidates in the candidate’s preferred language.
  • DPCS 2.0 allows the customer to provide country-specific data privacy prompt for internal and external candidates, in the candidate’s preferred language.

Below is an integrated and full guide (including pre-requisites and implementation steps) on how to:

  1. Enable and configure DPCS 2.0;
  2. Enable and configure Anonymization;
  3. Configure DRTM for Recruiting.

 

1. Enable and configure DPCS 2.0

Permissions required

Navigate to Admin Center → Set User Permissions → Manage Permission Roles → [Role Name] → Permissions → Manage System Properties → enable “Data Privacy Consent Statement Settings” and “Manage Data Privacy Configurations”.

 

Set up steps

    1. Provisioning → Company Info → Enable “Data Privacy Consent Statement 2.0”
    2. Provisioning → Edit Candidate Privacy Options → Use DPCS Version DPCS 2.0
      Note: If DPCS 1.0 is enabled, you will need to Disable all boxes for DPCS 1.0, Save Settings, Change from DPCS 1.0 to DPCS 2.0, Enable boxes again, Save Settings.
    3. Admin Center → Data Privacy Statement → Create New Statement

Notes:

  • DPCS can be linked to specific countries.
  • One country can have only one DPCS statement for a type.
  • The “Set this as system default statement” checkbox can be set to assign a default DPCS statement.
  • If the DPCS is not configured for a country, then the default DPCS statement is shown to the candidates who belong to that country.
  • If a user does not have country data in the employee data file, they will see the default statement.

 

 

Internal and External DPCS

Once created, the DPCS is triggered every first time an employee creates a candidate profile or applies to a job posting.
If declined, the candidate profile is removed, applications are anonymized, and candidates are sent to a new candidate status.

 

Log-in DPCS

DPCS can also be configured to be triggered by logging in to the SAP SuccessFactors instance.
If accepted by the candidate, they are allowed to proceed with the expected action.
In this case, if the candidate declines the statement, log-in is denied.

Note: In both scenarios (Internal/External and Log-in), if further edits are made to the statement, all applicants need to agree to the new policies.

 

Country Specific Consent Options

Occasionally candidates are added to Recruiting Management without creating their own accounts and without seeing the configured statement. This issue happens when an employee refers, or an agency submits, a new candidate as well as when the add candidate functionality is used.

To manage candidate access: Admin Center→ Manage Recruiting → Country Specific Consent Settings, and then complete the information for selected countries.

Note: Users need to have the following permission to be able to work with Country Specific Consent Settings: Admin Center → Manage Permission Role → [Select Role] → Permissions → Administrator Permissions → Manage Recruiting → enable “Country Specific Consent Settings”.

 

2. Enable and configure Anonymization

According to regulations in EMEA candidates/applicants may require from the Recruiters not to store their data under specific circumstances.
The Anonymization is an act of editing the database to change the unique data to no longer unique, allowing statistical reporting to remain intact while honouring the candidate’s privacy.

The Anonymization is triggered in the following scenarios:

  • When a Candidate declines or revokes the DPCS or deletes his profile (with DPCS 2.0 in use);
  • DRM: Candidate / Applicant purge routine will anonymize the data for values set up in Admin Tools → Data Retention Management (treated later in this blog);
  • Admin action: “Delete Candidate” from Admin Tools.

There are some fields restricted from anonymization, according to the different templates where they are located (Candidate Profile, Application Template or Offer detail template).
The whole list of available fields is available in KBA #2103393.

In order to prepare the instance for anonymization, the following actions are needed:

    1. Prepare a list of fields to be anonymized;
    2. Edit the field in the relative XML template changing the value from anonymize=”false” to anonymize=”true”;Note: this action must be performed for each relevant template (Candidate Profile, Application Template or Offer detail);
    3. Set up a scheduled job in Provisioning with the job type “RCM Entity Anonymization Job”.
      Note: It is recommended that the scheduled job runs hourly.

In any case, after a candidate has been flagged for anonymization, the candidate will not return in search results and related applications can no longer be actioned.
Outstanding Interview and Offer To-Dos are marked completed and Agencies won’t see the candidate available for submission.
Upon his/her return, the candidate will be treated as a brand new candidate.

 

3. Configure DRTM for Recruiting

Data should not be stored any longer than is required, especially in case local/regional legislations require purging of user data from the system after a certain length of time for data protection and privacy.
The Data Retention Management (DRM) feature set allows users to configure the purge of candidate data from the system on a recurring schedule and based on configurable country-specific retention times via Data Retention Time Management (DRTM) feature set.

The recruiting-specific purge types and their associated objects are as follows:

  • DRTM Inactive Application Purge
  • DRTM Inactive Candidate Purge

Note: These data purge types are applicable to external candidates only.
Internal candidates’ profiles and applications will be picked up either by the master data purge or by one of the employee-related purges as part of the Employee Profile or Employee Central data retention process.

 

DRTM Inactive Application Purge

  • Anonymizes all data related to inactive applications
  • Retention start time is based on the selection in Admin Center → Manage Recruiting Settings → DRM 2.0 settings
    The following options are available:

        • Application’s Last Modified date
        • The application’s disposition date
        • Requisition’s closure date

 

DRTM Inactive Candidate Purge

  • Anonymizes all data related to inactive applications
  • Retention start time is based on the Candidate last login date

 

Permissions and prerequisits required

  • Admin Center → Manage Permission Role → Administrator Permission → Metadata Framework → Manage Data.
    Note: This gives user the ability to access the manage data screens which is used to manage MDF objects in general, not just for data retention time management.
  • Admin → Manage Permission Role → User Permission → Data Retention Management and select DRTM Candidate Profile and all fields except Field level override field. Do the same for DRTM Job Application.
    Note: these two permission set grants user the ability to set up countries to use data retention time management and then configure data retention times for different countries for the recruiting objects.
  • Admin Center → Upgrade Center → Optional Upgrades → DRTM Recruiting.

 

Set up steps

  1. Configure the anonymize attribute in the XML and schedule the job in Provisioning (described in Point 2 of this article – “Enable and configure Anonymization”);
  2. Check and configure permissions and prerequisites;
  3. Flag countries for use in DRTM:
      • Admin Center → Manage Data → Country → [select country] → Take Action → Make Correction.
      • Set the data retention enabled flag to yes and save.
      • Repeat this process and enable the data retention flag for every country you recruit in.
        Note: this step can be performed also through an import.
  4. Set up the Country Specific Retention Period
      • Candidate Profile: Admin Center → Manage Data → DRTM Candidate Profile → Candidate  → Take Action → Make Correction.
        Note: Since this is the candidate profile and it is possible that a candidate may have one without ever logging in to see the Consent Statement due to being manually added via referral, agency, or manual add, there is the option to configure the period of non-acceptance of DPCS here. This means the profile will be picked up for anonymization if the DPCS has not been accepted in this time frame.

      • Application: Admin Center → Manage Data → DRTM Job Application → Application → Take Action → Make Correction.

 

Create and Approve a request

Purging data in the SAP SuccessFactors HCM Suite is irreversible, and as such is built to be a multi-step process requiring a request and approval. This ensures oversight before records are permanently and irretrievably removed from the system:

  1. Create the request
    Admin Center → Data Retention Management → Create New Purge Request. Select the purge request type, name it, select the countries this purge schedule should cover, and add approvers.The request can be launched immediately without reoccurrence or scheduled with different options. Either option used will send notifications to the approver(s) and either will need approval before they expire in 14 days.
    Fully approved purge requests are sent to the job scheduler. For scheduled requests, the purge job runs at the soonest available time after its next scheduled recurrence. For immediate request, the purge job runs at the next available time generally within a few minutes.
  2. Approve a request
    Admin Center → Purge Request Monitor → Request Pending Approval.
    Note: Either type of approval (immediate or scheduled) will start on the Purge Request Monitor screen.
  3. Check Purge status
    The actual Purge job status can be checked at any time after it is approved by accessing the Approved Request tab. Here the user can download the preview report, view the job details, and/or access view results for the completed report that can be used to confirm whether the purge job was successful or not for each type of data in the purge.

Notes:

  • It is possible to put a legal hold on data for a specific candidate so that their data is not removed by a DRTM data purge. Possible use cases are pending litigation or other legal requirements that supersede the configured retention time.
    Permission required: Admin Center → Manage Permission Role → Data Retention Management → DRTM Purge Freeze.
    Where to put a candidate purge freeze: Admin Center → Manage Data → Create New → DRTM Purge Freeze.
  • The master data purge permanently and irreversibly removes inactive users from your instance, along with their associated data from across the HCM Suite, including audit data. DRTM Master Data overrides the retention time that is configured for any other DRTM purge objects. However, this purge will not remove any Recruiting Management user
    (defined as “Any user Job Requisition Approver, Interviewer, Offer Approver”) who is active in the Recruiting process.
    Their pending action will need to be dispositioned or transferred to another user before they can be purged.

 

More information

Customers can also refer to the following Knowledge Base Articles to learn more:

  • 2341240 – “DPCS 2.0 – how to enable version 2.0 of Data Privacy Consent Statement and how to set up privacy statement – Recruiting Management”
  • 2103393 – “Which data may be anonymized, when using DPCS 2.0? – Recruiting Management”
  • 2166333 – “How to set up anonymization – Recruiting Management”
  • 2080965 – “Candidate Anonymization – Recruiting”

 

 

 

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo jeevan bodla
      jeevan bodla

      Very Informative, thanks Antonio.

      Author's profile photo Michelle Crapo
      Michelle Crapo

      I read this with a bit of a smile on my face.  My mom was a director of HR prior to her retirement.  She had tons of file folders.  The real ones, not just the folders on your computer.  Paper tons of paper.   She had to - granted with help - keep track of who had applied for what.  If they came in for an interview and there references didn't check out...   Go back through the stack and perhaps come across someone who had applied a long time ago and would be perfect.

      I think she had a full staff just to keep track of resumes.

      This would have made her life so very easy.

      Nice "how to" blog,

      Michelle

      Author's profile photo Shikha Bhatnagar
      Shikha Bhatnagar

      Hi Antonio,

      One query please,

      If a candidate declines DPCS then his data remains within system with Declined status or not?

      Thanks,

      Shikha

      Author's profile photo Antonio Pellegrino
      Antonio Pellegrino
      Blog Post Author

      Hi Shikha,

      If the candidate declines the DPCS then the application is automatically moved to the system status "Declined DPCS" and it is anonymized along with the candidate profile.

      Please note that this will not happen if the Recruiter previously moved the application to a disqualification status, which means that the application will not be anonymized but the candidate profile will.
      For more information refer to KBA #2722938.

      Hope it helps,

      Antonio

      Author's profile photo Dawood Shareef
      Dawood Shareef

      Hi Antonio,

      Thanks for sharing this information.

      In relation to this topic, need some advise.

      Currently in our system, the Data Privacy Consent Statement (DPCS) on SuccessFactors portal has been configured to be displayed on Internal Career (Recruiting Internal) for internal employees. Once the employee accepts the DPCS then only the Internal profile getting created after which the external profile is data converted/ migrated into internal profile.

      Unfortunately, not all our employees are accessing their careers tab to accept the DPCS hence due to which internal profile is not getting created.

      So planning to display the DPCS statement once the employee logs to the SF Portal i.e. Type Login instead of Recruitment Internal.

      So want to check your thoughts on this approach.

      Regards, Dawood

       

      Author's profile photo Antonio Pellegrino
      Antonio Pellegrino
      Blog Post Author

      Hi Dawood,

       

      Thanks for your comments.

       

      Are you currently using DPCS 1.0 or 2.0?

       

      Antonio

      Author's profile photo Sunil Gargeshwari Ramu
      Sunil Gargeshwari Ramu

      Hello Antonio,

      Thanks for sharing a detailed blog.

       

      QQ-Is it possible to anonymize attachment fields & how do they behave?

       

      Regards,

      Sunil

      Author's profile photo Antonio Pellegrino
      Antonio Pellegrino
      Blog Post Author

      Hi Sunil,

       

      Attachments do not need any anonymisation in place as they will always be purged when the Purge Rule runs.

       

      Thanks

      Antonio

      Author's profile photo Rohaizad Abu Bakar
      Rohaizad Abu Bakar

      Thanks for sharing Antonio.

      However If I run DRTM Inactive application Purge for status below, the application profile not been purged. Do you know why?

      Withdrawn Status with status category :
      1. Deleted on demand by candidate
      2. Deleted on demand by Admin
      3. Decline DPCS
      4. Withdrawn by Candidate