GDPR for Professional Services: Client Data, Data Processing Agreements, and ICO Obligations
Professional services firms process personal data at every stage of a client engagement — from the initial proposal through to invoicing, project delivery, and alumni communications. UK GDPR obligations apply regardless of firm size, and the ICO has issued fines to professional services organisations for insufficient data protection measures. The ICO's 2023 annual report identified professional services as one of the top five sectors for data breach reports. Understanding your obligations is not optional.
ICO 2023: Professional services ranked in the top five sectors for reported data breaches.
GDPR Obligations Specific to Professional Services
Professional services firms typically act as both data controllers (for their own HR and marketing data) and data processors (when handling client personal data on behalf of a client). When acting as a data processor, you must:
- Have a signed Data Processing Agreement (DPA) with every client whose personal data you process
- Only process personal data on documented instructions from the controller (the client)
- Implement appropriate technical and organisational measures to protect the data
- Not engage sub-processors (cloud providers, software tools, contractors) without controller consent
- Assist the controller with data subject access requests, erasure requests, and breach notifications
- Delete or return all personal data at the end of the engagement
Data Retention for Professional Services Firms
UK GDPR requires that personal data is not kept for longer than necessary. Professional services firms commonly breach this by retaining client project files, CVs, and contact databases indefinitely. A defensible retention schedule should define retention periods by category: client engagement records (typically seven years for tax purposes), staff records (six years post-employment), marketing contact data (three years without re-confirmation), and proposal/tender data (one to two years if no contract awarded). The retention schedule must be documented, communicated to staff, and technically enforced.
ICO Breach Notification: What Counts as a Reportable Breach
A personal data breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. For professional services firms, reportable breaches commonly include: a laptop containing client personal data lost or stolen without encryption; an email containing client data sent to the wrong recipient; a ransomware attack that encrypts files containing personal data; or unauthorised access to a CRM or project management system. The ICO expects to see evidence of a documented breach register and a defined internal escalation process.
Frequently Asked Questions
Do professional services firms need a Data Protection Officer?
Under UK GDPR, a DPO is mandatory only for public authorities, organisations that carry out large-scale systematic monitoring of individuals, or organisations that process special category data at scale. Most professional services firms do not meet these thresholds. However, the ICO recommends designating a named person responsible for data protection compliance — this can be an existing staff member or an outsourced Data Protection Adviser.
What should a Data Processing Agreement cover for a professional services engagement?
A GDPR-compliant DPA must cover: the subject matter, duration, nature and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and the specific requirements from Article 28 UK GDPR — security measures, sub-processor consent, audit rights, breach notification timescales, and data deletion on termination.
Review your GDPR compliance posture
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.