We recently worked with a mid-sized recruitment company to clean and rationalise their applicant tracking system. What started as a housekeeping exercise — clearing out duplicate records, fixing broken imports, retiring old pipelines — quickly became something more significant. What we uncovered was a data compliance problem hiding in plain sight, and it is far more common than most organisations realise.
The Archaeology of a Busy ATS
Applicant Tracking Systems accumulate data fast. Every job posting, every CV uploaded, every interview note, every email thread captured through an inbox integration — it all lands in the system and, in most cases, stays there indefinitely. Unlike a CRM for sales, where deals close and records go cold, a recruitment ATS sits at the intersection of active hiring and years of historical candidate relationships. The result, over time, is a dense archaeological record of personal information.
In the system we reviewed, records dated back to 2017. Candidates who had applied for roles that no longer existed, at companies the client had long since stopped working with. Phone numbers, home addresses, salary expectations, references, passport scans submitted for background checks, clinical assessments for healthcare roles, notes from recruiters about personal circumstances mentioned during screening calls. None of it had ever been deleted. None of it had a retention policy attached to it.
What the audit found
Over 40,000 candidate records. Approximately 12,000 with no activity in more than three years. Roughly 800 with scanned identity documents attached. Several hundred with health-related information recorded in free-text notes fields. All of it sitting in a cloud-hosted SaaS platform with no automated deletion, no documented retention schedule, and no record of consent being refreshed since initial application.
Why This Is a Privacy Problem, Not Just a Tidiness Problem
The instinct when facing a messy database is to treat it as a technical debt issue — something that makes the system slower, harder to search, and more expensive to run. That framing misses the point. Every dormant record in your ATS is a piece of personal information that a real person provided for a specific, time-limited purpose: to be considered for a role. The legal basis for holding that data does not last forever, and in most jurisdictions, it has a defined shelf life.
Japan's APPI amendments, in force since 2022, require organisations to handle personal information with a clear purpose of use and to delete it when that purpose has been fulfilled. Singapore's PDPA places explicit obligations on retention: data must not be kept longer than is necessary for the purpose it was collected. Australia's Privacy Act applies the same principle. And for any organisation handling data from EU-based candidates, GDPR's storage limitation principle is unambiguous — data should be kept only as long as necessary, and the burden of proof sits with the data controller.
The practical translation: if someone applied for a role with you in 2019 and was not placed, you almost certainly do not have a valid legal basis to retain their full profile — complete with their salary history, reference contacts, and a recruiter's personal notes — in 2026.
Japan — APPI
Purpose limitation and retention obligations. Mandatory breach notification within a defined period. Penalties for violations up to ¥100M for corporations.
Singapore — PDPA
Retention limitation obligation: data must not be kept longer than necessary. Mandatory data breach notification. Fines up to S$1M per breach.
EU / GDPR (candidate data)
Storage limitation is a core principle. Right to erasure is enforceable. Applies wherever EU-based candidates are involved, regardless of where your business is based.
The Types of Data That Surface — and Why They Each Carry Risk
Not all data in an ATS is equal from a privacy standpoint. A candidate's name and the role they applied for carries relatively low individual risk. But ATS systems routinely accumulate categories of data that warrant much more careful handling.
Identity documents
Passport scans, national ID copies, and visa documentation collected for background checks or right-to-work verification. These are high-sensitivity documents with no business reason to retain after the check is complete — yet they routinely persist as file attachments for years.
Health and disability information
In healthcare, education, and roles involving physical demands, screening processes often surface health data. If this lands in a notes field or as an attachment and is not flagged as sensitive, it sits alongside general candidate data with no additional access controls.
Salary and financial history
Current and expected salary data is commercially sensitive and, in certain jurisdictions, subject to specific handling requirements. It is also frequently shared between recruiters without candidates being aware of the scope of that disclosure.
Recruiter notes and assessments
Free-text notes can contain references to a candidate's personal circumstances, family situation, health, or anything else that came up in a screening conversation. These are legally problematic to retain and could constitute evidence of discriminatory screening practices if they ever came to light.
Third-party reference contacts
References provided by a candidate are third parties whose data was shared with consent for a specific purpose. Retaining their contact details indefinitely — and potentially passing them along to client hiring managers — extends your data processing obligations beyond the original candidate.
What the Audit Reveals About Your Future Needs
This is where the exercise shifts from remediation to planning. A thorough data audit does not just tell you what you need to clean up — it tells you what processes and infrastructure you are missing, and what you need to build to stay compliant as the business grows.
In the engagement we described, the findings pointed to several clear gaps that the client had not previously identified as compliance priorities.
From audit findings to compliance roadmap
No data retention schedule
Every data category needs a defined retention period, a legal basis for that period, and an automated or procedural mechanism for deletion. The audit makes it impossible to ignore that this does not exist.
No data classification policy
When identity documents and salary data sit in the same unstructured records as job titles and LinkedIn profiles, it is impossible to apply appropriate access controls or deletion triggers. Classification has to come first.
Consent records are incomplete or absent
Many legacy records have no documented consent — or consent was obtained under terms that have since changed. Building a consent management process into your intake workflow is not optional under any modern privacy framework.
No process for subject access requests
Under GDPR, APPI, and PDPA, individuals have the right to request access to data held about them — and in some cases to have it deleted. If you cannot respond to that request within the legally required timeframe, you have a process problem on top of a data problem.
Third-party data sharing with clients is undocumented
Sharing candidate profiles with client hiring managers is core to the business — but each share is a data transfer that requires a legal basis, appropriate agreements, and records of what was shared with whom. In most ATS systems, this is entirely ad hoc.
Where to Start
If you are running an ATS or CRM with more than two or three years of data and you have never done a formal data audit, the right move is not to panic — it is to get visibility. You cannot remediate what you have not measured, and you cannot build a compliance roadmap without knowing what you are actually holding.
A practical starting point: run a data inventory. Export a structured count of your records by age, by data completeness, by whether consent records exist, and by data type. Most ATS platforms have enough reporting capability to do this without custom engineering. That inventory becomes the brief for your remediation priorities and, simultaneously, the clearest possible picture of what you need to build to stay compliant going forward.
The companies we work with who handle this proactively — before a regulator asks, before a data subject complaint arrives, before a client due diligence questionnaire surfaces the gaps — are the ones who come out of the process with a genuine competitive advantage. Data hygiene is increasingly something enterprise clients and partners evaluate before signing. The audit that started as a cleanup job has a way of becoming the foundation of your data governance programme.
Facing a Data Audit or Privacy Gap in Your ATS?
Whether you are starting a cleanup project, preparing for a compliance review, or building a data retention policy for the first time, we can help you understand what you are holding, what your obligations are, and what you need to put in place. Let's talk.