IR35 and Data Security: What Professional Services Contractors Must Have in Place
The IR35 reforms that shifted liability to end-clients for off-payroll workers created significant commercial pressure on professional services contractors. But the compliance story does not end with tax status. Contractors operating through a personal service company (PSC) who handle client data, access client systems, or provide strategic advice on sensitive mandates face their own UK GDPR obligations, and increasing numbers of enterprise clients require Cyber Essentials certification even for individual contractors engaging via a PSC.
Professional services contractors handling client personal data must comply with UK GDPR regardless of IR35 status.
GDPR Obligations for Contractors
If you operate through a PSC and process personal data in the course of your work, your company is a data controller or data processor under UK GDPR. Common scenarios for contractors include: receiving HR data to provide recruitment or organisational design advice; accessing financial records for management accounting or CFO support; handling employee data as part of an interim HR director engagement. In each case, your PSC must have a privacy notice, a data processing agreement with the end-client, and documented security measures.
Cyber Essentials for Contractors
An increasing number of public sector contracts and large enterprise clients require Cyber Essentials certification for all supply chain entities — including individual contractors operating through PSCs. For a single-person PSC, the scope of Cyber Essentials is limited to the devices and accounts you use for work. The certification costs around £300–£500 and can be completed within a few weeks. For contractors regularly tendering for government work, Cyber Essentials is effectively mandatory.
Frequently Asked Questions
Does my PSC need its own GDPR registration?
If your PSC processes personal data as a data controller — for example, maintaining a client contact database or retaining project files containing personal data — it should be registered with the ICO as a data controller. Registration costs £40–£60 per year for small organisations. Most contractors operating through PSCs who do any work involving personal data should be registered.
Check your contractor compliance posture
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.