Lever: Self-Serve GDPR Compliance Portal Protecting Over $2M in Revenue
Summary
I led UX design for Lever’s first self-serve GDPR compliance portal — enabling enterprise customers to manage data privacy at scale. This work transformed compliance from a manual, support-driven burden into a transparent, productized experience that reduced legal risk, improved customer trust, and protected $1–2M in retention revenue.
Focus: Privacy, Governance, and Retention
Context
The General Data Protection Regulation (GDPR) reshaped global data privacy expectations. For enterprise clients, compliance wasn’t optional — it was a core renewal requirement tied directly to legal risk, procurement reviews, and platform trust.
Lever’s existing process relied on manual support and engineering intervention for deletion requests, retention policies, and audit confirmations. This approach slowed compliance workflows, created legal exposure, and weakened renewal confidence.
To meet growing enterprise demands, we built Lever’s first self-serve GDPR compliance portal — a centralized experience empowering customers to define, monitor, and automate privacy settings independently.
Role & scope
Title: Lead / Staff Product Designer, Core Platform
I led the end-to-end design — from research and mapping to final UX and system rollout — translating complex legal, technical, and user needs into a scalable solution.
Key responsibilities
- Mapped backend data structures to visualize how candidate data moved across features and 3rd-party tools
- Defined role-based access controls to limit sensitive operations like export or deletion
- Designed friction-informed UX patterns for high-risk actions (multi-step confirmations, warnings, success verification)
- Created dashboards for compliance visibility and audit logging
- Collaborated with Legal, Product, and Engineering to align regional compliance across the EU, UK, and Canada
Cross functional partners
- Engineering: technical feasibility & enforcement logic
- Security: compliance, risk thresholds
- Customer success: renewal insights & ticket triage
- Sales: deal blockers & procurement requirements
- Legal: privacy & data exposure policy alignment
Challenge
Enterprise customers needed visibility and control over candidate data — without relying on Lever’s support or engineering teams. The absence of scalable governance introduced both business risk and customer frustration.
Pain points
- Manual support tickets for every deletion or export request
- No centralized dashboard for retention policies or compliance status
- Legal and IT reviewers lacked transparency for audits and renewals
We needed to transform GDPR compliance into a seamless, self-managed product experience that balances legal rigor with usability.
Why it mattered
Compliance wasn’t just a check-the-box feature — it was a contractual necessity. Large accounts paused renewals or demanded custom agreements until Lever could demonstrate secure, automated governance. By productizing compliance, we could reduce support load, de-risk renewals, and strengthen trust during procurement reviews.
Design challenge
Design a self-serve compliance experience that’s legally sound, technically secure, and usable by non-technical admins — making compliance management as approachable as any other workflow in Lever.
Goals
- Empower customers to manage privacy and data retention autonomously
- Establish scalable UX patterns for privacy, governance, and auditability
- Ensure region-specific compliance logic (EU, UK, CA)
- Reduce support intervention for sensitive workflows
- Meet enterprise renewal and audit expectations to protect revenue
- Establish scalable UX patterns for privacy, governance, and auditability
Approach
I framed the design around three guiding principles: clarity, control, and confidence.
- Map the System: Visualized candidate data flows across product features and external tools to surface where governance needed to intervene.
- Design for Permission & Safety: Applied RBAC rules to prevent unauthorized data actions.
- Friction-Informed UX: Added multi-step confirmations, inline warnings, and post-action verification to ensure safe execution.
- Localize & Scale: Built a framework to support region-specific retention timelines within one global dashboard.
- Validate Cross-Functionally: Partnered with Legal and Security to verify GDPR alignment and data flow accuracy.
Solution
A self-serve GDPR compliance portal integrated into the Lever platform, giving customers direct control over their data governance lifecycle.
- Configurable data retention policies: Define default deletion windows (e.g., 180 days post-rejection) by role, region, or stage.
- Localized compliance controls: Apply EU, UK, or CA-specific rules within a unified dashboard.
- Automated deletion workflows: Trigger privacy actions based on candidate status to eliminate manual requests.
- Role-based access safeguards: Restrict high-risk tasks like export or deletion to authorized users only.
- Audit logs & transparency dashboards: Track and verify all privacy operations with downloadable records for legal review.
- Friction-informed UI patterns: Layered confirmations, inline alerts, and success summaries for irreversible actions.
Together, these features made compliance actionable, auditable, and scalable without a single support ticket.
Outcomes
View more work
Credible: Helping First-Time Homebuyers Understand Their Purchase Power
Redesigned Credible’s pre-approval dashboard to make homebuying clearer and more personal.
Design and Machine Learning: Driving Adoption Through Predictive Analytics
Designed Amplitude’s first Anomaly Detection and Forecasting feature — transforming how 800+ customer teams interpret product metrics.