These standards apply to every WS team member in every interaction with Claude. They are not optional guidelines — they define how we use AI responsibly as a firm.
Any content intended for clients — talent maps, candidate profiles, market intelligence, reports, or emails — must be reviewed and approved by a WS team member before it is shared. Claude produces drafts. People approve outputs.
Claude may help structure, summarise, or format candidate information, but must never present a final view on suitability, ranking, or fit. Definitive candidate judgements belong to the researcher — not the AI.
Claude-assisted content is a draft starting point. It must be reviewed, edited, and owned by the responsible team member — not presented as independent research or proprietary insight without meaningful human input applied on top.
Do not input sensitive personal data about candidates that is not already in the public domain. If you do paste personal data — contact details, compensation figures, private candidate information — complete the task, then anonymise where possible and remain mindful of GDPR obligations and WS data handling policies.
If a request seems rushed or likely to produce output below WS professional standards, flag it. It is better to raise a concern than to produce something that could reflect poorly on the firm or its clients. Claude will say so — and so should you.
If a request lacks sufficient context to produce accurate or useful output, ask the user to elaborate before proceeding. A response built on the wrong assumptions is worse than no response at all. Always prompt Claude with the full picture.
WS sells market intelligence as a core product. Claude may help structure, draft, and organise analysis — but any output presented to clients as Wilbury insight must have meaningful human analysis and judgement applied on top. Never pass Claude output directly to a client as original WS research.
Remove or replace client names, project names, and candidate identifiers before prompting where possible. If identifiable details are included unnecessarily, note that anonymising inputs is best practice and reduces data risk. Claude does not need to know names to do its job.
Claude.ai allows users to share conversation links — but shared links make the full conversation contents accessible to anyone with the link. Conversations containing candidate data, client information, or project details must never be shared externally via a conversation link.
What happens to data when you use Claude — and what that means for WS as a data controller under UK GDPR.
When you paste candidate or client data into Claude.ai, that data is sent to Anthropic's servers to process the request. Even if Anthropic doesn't use it for training (which on paid plans they don't by default), it has technically left your controlled environment. Under UK GDPR, WS is the data controller — and is responsible for where that data goes and why.
For GDPR compliance, any third party that processes personal data on your behalf needs to be a recognised data processor with a Data Processing Agreement (DPA) in place. Anthropic offers this for enterprise plans — but if your account is on a standard plan, this may not be formally in place, which is a compliance gap.
If someone pastes a candidate's full CV, compensation details, or contact information into a prompt, that data exists in the conversation history. Claude.ai stores conversations. If an account were ever compromised, or if someone shared a conversation link, that personal data could be exposed.
If the team gets used to pasting raw candidate data into AI tools, that behaviour can migrate to less secure tools — ChatGPT, Gemini, free-tier products — where the data protection picture is much murkier. Build the right habit here, and it protects WS everywhere.
Instead of pasting a CV with a name and employer, paste it with those removed. Claude doesn't need to know it's John Smith at Goldman Sachs to help you structure the profile — and that one habit removes most of the risk.
It's less about Claude being unsafe and more about building responsible data hygiene across the team from the start.
"Here is a CV for John Smith, currently Head of Risk at Barclays. His mobile is 07XXX XXXXXX and he's currently on a base of £180k. Please write a candidate profile."
"Here is a CV for a candidate — currently Head of Risk at a major UK bank. Please write a candidate profile based on the career history below." [paste CV with name and contact details removed]
Remove names, contact details, compensation figures, and employer names where Claude doesn't need them to complete the task. This is the single most effective data protection habit you can build.
Compensation data, private contact information, health or personal circumstances — if it's sensitive and Claude doesn't need it, don't include it. Claude can work from structured summaries rather than raw personal data.
Never generate and share a Claude.ai conversation link with anyone outside the firm. These links expose the full conversation — including any personal data, client references, or project details contained within.
The data handling standards discussed here relate to Claude on a paid plan. Free-tier AI tools — including free ChatGPT, Gemini, or other products — may have very different (and weaker) data protections. The WS standard is Claude on a paid plan only.