The single most effective way to protect candidate data on your recruitment website is to not store it there.

Your website is not an ATS. It is not built to the same security standards as Bullhorn, Vincere, or JobAdder. It does not undergo regular penetration testing, hold SOC 2 certification, or have a dedicated security team. Every piece of candidate data sitting on your website server is data that should be in your ATS instead.

At RecruiterWEB, we have built over 667 recruitment websites since 2004. Every one of them works the same way: candidate data flows from the website directly into the agency's ATS. No copy is stored on the website. No candidate database sits on the web server. No portal holds personal data outside of the ATS.

This is not a premium feature. It is how every RecruiterWEB website works on every plan, from Start-up at £149 + VAT per month to Fully Bespoke at £699 + VAT per month.

Why Storing Candidate Data on Your Website Is a GDPR Problem

The UK GDPR requires you to have a lawful basis for every piece of personal data you process and to collect only the minimum data necessary for that purpose (Articles 5(1)(b) and 5(1)(c)).

If your website collects candidate data into its own database and your recruiters work from their ATS, you have personal data in two systems. That creates three compliance failures:

1. Duplicate data with no processing purpose

Your recruiters do not use the website database. They use the ATS. The website copy serves no operational purpose. Storing data without a legitimate processing purpose breaches Article 5(1)(b).

2. Two systems, two sets of obligations

When candidate data exists in both your website and your ATS, you have two separate retention policies, two separate consent records, and two separate breach notification obligations. When a candidate submits a data subject access request, you must search both systems. When a candidate requests deletion, you must delete from both. Most agencies do not even know the data is in two places.

3. Expanded attack surface

Every system that holds personal data is a potential breach target. Your ATS provider invests heavily in security infrastructure, penetration testing, and compliance certifications. Your website provider almost certainly does not. Candidate data on your website is the weakest link in your data security chain.

For a detailed breakdown of why candidate portals create GDPR risk specifically, see our dedicated analysis.

What a GDPR-Compliant Recruitment Website Looks Like

A compliant recruitment website does four things:

1. Sends candidate data directly to the ATS

When a candidate applies or registers, their details (name, email, phone, CV) are sent via API directly into your ATS. The website acts as a collection point, not a storage point. The data enters the system that your recruiters actually use and exists nowhere else.

2. Stores no candidate data on the web server

No candidate database on the website. No CV files on the hosting server. No application records in the website admin panel. If your website provider offers a "candidate management" section in the CMS, that is candidate data on your website. That is the problem.

3. Includes clear consent and privacy messaging

Every form that collects personal data must include a clear statement of how the data will be used, who the data controller is, and how candidates can exercise their rights. This is not optional. It is a legal requirement under Article 13 of the UK GDPR.

4. Uses HTTPS encryption for all data in transit

SSL encryption ensures that data submitted through your website forms cannot be intercepted by third parties during transmission. This is a baseline technical requirement. Any recruitment website without HTTPS in 2026 is not fit for purpose.

What Data Do Recruiters Need to Protect?

Candidate CVs contain a high density of personally identifiable information (PII):

• Full name and contact details
• Home address
• Employment history
• Educational background
• Professional qualifications
• Right-to-work documentation (in some cases)

This data is a primary target for identity theft. A single breach exposing candidate CVs creates ICO reporting obligations (within 72 hours), potential fines, reputational damage, and loss of client confidence.

Client data is also at risk. Hiring manager names, direct email addresses, phone numbers, and confidential vacancy details should never be accessible through a website portal or stored in a website database.

The Candidate Portal Problem

Some recruitment website providers offer candidate portals as a feature: a login area where candidates can view their application status, update their profile, or manage their details.

This sounds helpful. It is a compliance liability.

A candidate portal means:

• Candidate data is stored on your website server. Login credentials, profile data, CV files, and application history all sit in the website database.
• You are responsible for securing that data. Password storage, session management, and file upload functionality all create attack vectors your website was not designed to defend.
• Orphaned accounts accumulate. Candidates who register and never return still have active accounts holding personal data. Without automated retention and deletion, those records sit indefinitely.
• Third-party tracking scripts can access portal pages. Analytics, chat widgets, and advertising pixels on portal pages can inadvertently collect personal data without candidate consent.

The alternative is straightforward: candidates apply on your website, their data flows directly into your ATS, and they manage their information through the ATS provider's own secure candidate experience (if the ATS offers one). One copy of the data, in the system built to handle it securely.

RecruiterWEB does not offer candidate portals. This is a deliberate decision based on 22 years of building recruitment websites and a clear understanding of where candidate data belongs.

How to Audit Your Current Website

Ask your website provider these five questions:

1. Where is candidate data stored after someone applies? If the answer includes "in the website CMS" or "in the website database," you have a GDPR problem.
2. Is candidate data duplicated between the website and the ATS? If yes, you have two systems holding personal data with two separate compliance obligations.
3. Does the website have a candidate portal or candidate login? If yes, you have personal data stored on the website that candidates may have forgotten about.
4. When was the website last penetration tested? If the answer is "never" or "I don't know," your candidate data is sitting behind untested security.
5. What happens to candidate data stored on the website if we leave the provider? If the answer is unclear, you have a data portability and deletion problem.

If your provider cannot answer all five clearly, you have a GDPR liability on your website right now.

How RecruiterWEB Handles Candidate Data

Every RecruiterWEB website, on every plan, works the same way:

• Candidates apply or register on your website
• Their data (including CV) is sent via API directly into your ATS or CRM
• No copy is stored on the website platform
• No candidate database exists on the web server
• All forms include consent and privacy messaging
• All data transmission uses HTTPS encryption
• No candidate portal. No candidate login. No candidate data on the website.

This is not a feature you pay extra for. It is how the platform is built. It is how every one of our 667+ client websites operates.

Frequently Asked Questions

How do I make my recruitment website GDPR compliant?

Ensure your website sends candidate data directly to your ATS via API and stores no copy on the website server. Include clear consent messaging on every form that collects personal data. Use HTTPS encryption for all data in transit. Set a lawful basis for processing (legitimate interest for job applications, consent for marketing). Remove any candidate portal or candidate database from your website CMS. If your recruiters do not use the website database, the data in it has no lawful purpose for processing.

What candidate data must recruitment agencies protect?

Any information that identifies a living individual. For recruitment, this primarily includes CVs, contact details (name, email, phone, address), employment history, educational background, professional qualifications, and in some cases, right-to-work documentation. CVs are the highest-risk dataset because they concentrate multiple types of PII in a single document. Under UK GDPR, recruiters must protect this data with appropriate technical and organisational measures.

Who is responsible for a data breach on a recruitment website?

The recruitment agency, as the data controller, is responsible for breaches even when third-party systems are involved. If candidate data is breached through your website, you must report to the ICO within 72 hours, notify affected individuals if the breach poses a high risk to their rights, and demonstrate what technical measures were in place. Your website provider's negligence does not transfer your liability.

Is a candidate portal on a recruitment website GDPR compliant?

In most cases, no. If your candidate portal stores personal data that your recruiters do not use operationally because they work in their ATS, you are storing data without a legitimate processing purpose. This breaches Article 5(1)(b) of the UK GDPR. Candidate portals also create cybersecurity risk through login pages, password storage, and file upload functionality that your website was not designed to defend at the same level as a dedicated ATS platform.

Does RecruiterWEB store candidate data on the website?

No. Every RecruiterWEB website sends candidate data directly to the agency's ATS via API. No copy is stored on the website platform. No candidate database exists on the web server. No candidate portal or candidate login is offered. This is how every RecruiterWEB website works on every plan at no extra cost. Candidate data belongs in your ATS, not on your website.