How Should I Manage Data as a Recruiter?

“How should I manage data as a recruiter?” 💭

This question is one that very commonly comes up when someone is starting a recruitment agency.


Because no process is more personal-data-heavy than recruitment.

And if that’s your company’s bread and butter, you’ll have a huge amount of sensitive information to protect. 🍞🧈

Names, addresses, emails, numbers, details about employment histories and personal lives.

Times a thousand, and another thousand, and another thousand.

You name it, you’re processing it.

And on both ends of the recruitment spectrum, too.

You’re looking after company and talent pool data.

Given that over 70% of people feel protective of their personal data and worried about its security, looking after it correctly as a recruiter is a must.

Let’s explore the reasons data management matters, the ways to manage data effectively, and the laws in place that you’ll need to follow as you do.


Why Does Good Data Management Matter for Recruitment Agencies?

In the UK, the average cost of a data breach for a small to medium enterprise (SME) is £16,100.

This cost is rising year on year for businesses of every size. 😱

If we had to guess, we’d say the cost is so high because real damage can be done in the average lifecycle of a breach:

206 days to discover it, and 73 more to contain it.

This is, evidently, an expense and an eventuality you should be looking to avoid.

But even beyond the financial side of things, data management matters when it comes to fostering client trust.

Peace of mind about personal data breeds long-lasting, positive working partnerships.

If you want to develop and keep a client base, abide by the laws of the land and avoid costly data breach issues, good data management is a must for your agency. ✅

It’s not a “save-that-for-tomorrow” type of job.

It’s a “sort-that-out-immediately” type of situation.

What Laws Do I Need to Abide By? 👨🏻

Let’s dive into the legalese.

(I promise I’ll make it as painless as possible!)

Every country has its own rules and regulations regarding data protection, but in the UK there are two key pieces of legislation you’ll need to know all about:

– The EU GDPR (General Data Protection Regulation) 2018

– The DPA (Data Protection Act) 2018

Infringing on the standards set out in these documents could incur you a maximum fine of £17.5 million or 4% of your agency’s annual global turnover (whichever is larger).

I don’t know about you, but I’m wincing at the mere THOUGHT of that.

No thanks. 🤢🤮

Let’s start with the GDPR…

What Part Does GDPR Play?

The EU GDPR was introduced in 2018 after years of talk about data reform in Europe finally came to fruition.

The regulations in force before this time were, in part, written way back in the 90s. ↩️

Before LinkedIn recruitment strategies.

Before TikTok videos of cats riding on skateboards.

Before the digital world as we know it today.

As you can imagine, those regs were pretty out of date.

They didn’t account for a load of the data protection issues that we run into regularly in 2021, because how could they when a lot of the stuff that causes these issues wasn’t even invented yet? 📲

That’s when the GDPR came along to modernise laws surrounding personal information and data privacy.

Its seven key principles are:

1. Lawfulness, fairness and transparency – Data must be processed lawfully and fairly, and you must be transparent with data subjects about how their data is being used.

2. Purpose limitation – Processed data must be relevant and purposeful.

3. Data minimisation – No more data than is needed for your purposes should be collected.

4. Accuracy – Data should be accurate and up to date.

5. Storage limitation – You should only store data for as long as necessary.

6. Integrity and confidentiality – Data must be protected against “unauthorised or unlawful processing”, and if adequate security measures aren’t taken, harsh fines might well be applied. (Similar to those applied to Cathay Pacific for “basic security inadequacies” in the way that they were set up.)

7. Accountability – You have a responsibility to prove that you’re meeting the other principles. Most organisations will need to keep data processing, sharing and storage records, and organisations with more than 250 employees will also need to document WHY information is being processed/collected.

These are outlined more fully in the behemoth of a document, but those principles are the basics by which all the specifics are aligned.

What’s the Difference Between the EU GDPR and the UK GDPR?

The UK GDPR is another name for the DPA 2018.

The DPA 2018 is the UK’s implementation, with some minor changes and adjustments, of the EU GDPR.

That was probably simpler than you thought, wasn’t it?


The AdBuilder team can break anything down into understandable terms – it’s sort of our thing (that and the whole job advert building platform). ✨

Here’s a summary of the differences between the two pieces of legislation.

Some of which are more likely to impact your recruitment agency than others, but all of which are helpful to know.

How Should I Manage Data? 🧐

This is the big one:

How should I manage data to remain in compliance with UK law and best protect the info my clients give me? 🤔

It’s not an easy task, but if you take your time over it and do your research, you can hit the nail on the head. ⚒

Trust reliable people to manage the data and stay on top of data protection regulations.

Invest in automated tools, such as candidate relationship management software that keeps all that information in a central database. 🗄

And finally, follow these eleven carefully gathered tips…

How Often Should I Cleanse My Data?

This is one that’s already been touched upon when I shared those seven key principles that make up the backbone of the GDPR. 🦴

Still, it bears repeating as it’s super important.

As a recruiter, you should only be keeping data for as long as you need to.

For as long as it’s expressly relevant and valuable to your agency.

One more thing to note is that the GDPR gives individuals or companies that you’re holding the data of the right to get it erased in certain circumstances.

These circumstances include:

1. A situation where they can prove that it’s no longer necessary for you to have their data, i.e., a previous jobseeker now has a stable job and doesn’t need contact from an agency regarding potential work

2. A situation where the data subject withdraws their consent

3. A situation where no legitimate interest can be claimed

4. A situation where the data was initially processed unlawfully

The Staffing Stream suggests that you go by the rule of sourcing and storing candidate data “only if you collect job-related information and plan to contact them within 30 days”.

What Rights Do I Have Over the Data?

Data-driven recruiting is gaining traction as one of the best ways to elevate your hiring process and find top candidates more quickly in 2021.

But wait!

Before you throw your recruiter brain headfirst into data collection and start gathering all the facts and figures that you can, it’s important that you understand the rights you have over the data you collect.

As explored above, you only have a right to collect personal data that can be considered truly relevant.

Plus, you can’t store this data forever. 👎🗑

With 46% of consumers feeling that they’re currently unable to effectively protect their personal data, the last thing you want is to worsen that statistic.

Sometimes, you’ll come across a piece of data and be unsure if it’s personal data or not – particularly if it’s been pseudonymised (attached to a fictitious name).

Until you find out, you won’t know what rights you have over the data.

To determine your yes or no answer, you’ll need to think about whether a person could be IDed by the information, even if you can’t personally ID them.


Is the data too specific to be anything but personal?

For instance, an anonymised/pseudonymised piece of data that painted a picture of a black man who was once president of the USA wouldn’t be hard to re-attach to Barack Obama, even without his name in the picture.

If you do determine that the data is personal, you can figure out your rights to it by inferring what isn’t covered by the rights afforded to your data subjects.

These rights are:

– The right to be informed

– The right to access

– The right to rectification

– The right to erasure

– The right to restrict processing

– The right to data portability

– The right to object

Then you’ll need to think about whether this personal data falls into a particularly sensitive category.

Sensitive personal data categories will need to be protected more rigorously, meaning you’ll have fewer rights over them.

Sensitive personal data categories are things like:

– Race/ethnic origin

– Sexual orientation

– Gender identity

– Religious beliefs

– Political opinions

– Union memberships

– Genetics

– Biometric data

– Other health information

Keep Levelling Up Your Recruitment Agency with AdBuilder’s Support 👾

This comprehensive guide to all things data management is a lot to take in.

Trust us, we know. 😬

Luckily, it’s here for you to read and re-read until you have a strong grasp of how to effectively protect candidate and client data.

Perfecting your data management process is one of many ways in which you can level up your recruitment agency.

Another brilliant way is to invest in a piece of software that’ll save you lots of time and make job advert writing a quick, simple and painless process.


We’re talking about AdBuilder.

Our job advert building platform can cut your ad creating time down to a minuscule 10 minutes – giving you even more time to put back into managing customer relationships and protecting personal data.

Plus, we recently developed a bias checking tool called AdGrader.

It’s the perfect way to raise your diversity and inclusion game in 2022. 🌈❤️

For more advice on levelling up your recruitment agency, check out the following blog posts:

Share this article
James Ball
Written by James Ball

James is the founder and owner of AdBuilder and a recruitment expert from Sutton Coldfield in the UK.  He regularly advises companies on how to improve and get the maximum ROI from their recruitment processes and advertising.

Read more from James
Notify of
Inline Feedbacks
View all comments