GDPR and Client Data Processing: FAQs for Professional Services Firms
UK GDPR questions are among the most common compliance concerns for professional services firms. Acting as data processor for client data, managing data processing agreements, and understanding retention obligations creates complexity that affects every engagement. This FAQ addresses the questions most frequently raised by professional services firms.
UK GDPR Article 28 requires a written Data Processing Agreement for every processing relationship between controller and processor.
Frequently Asked Questions
When is a professional services firm a data controller versus a data processor?
A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of a controller. Professional services firms are typically controllers for their own HR and marketing data, and processors when handling client personal data on the client's instructions. If your firm exercises independent judgement about how client personal data is used — for example, combining it with other data for analytics — you may be a joint controller, which has stronger obligations.
What must a Data Processing Agreement include?
Under UK GDPR Article 28, a DPA must include: the subject matter, duration, nature and purpose of processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and specific requirements including: processing only on documented instructions; confidentiality obligations on personnel; appropriate security measures; sub-processor management; assistance with data subject rights; deletion or return of data at the end of the engagement; and audit rights.
Do we need a DPA with every software tool we use?
Yes, for any software tool that processes personal data on your behalf. Cloud providers (M365, Google Workspace), CRM systems (Salesforce), accounting software (Xero), and practice management systems are all sub-processors under UK GDPR. These providers typically offer standard DPAs in their terms of service, which you must accept. For client engagements, your DPA with the client must also list these sub-processors and you must notify the client if you add new sub-processors.
How long should professional services firms retain client personal data?
UK GDPR requires retention only as long as necessary. For professional services, a defensible retention framework is: client engagement records (seven years for contractual and tax purposes); personal data in client files (aligned to the engagement record); HR records (six years post-employment); marketing contacts (three years without re-confirmation); proposal data where no contract was awarded (one to two years). Retention periods must be documented and technically enforced — a policy alone is insufficient.
Review your GDPR compliance
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.