Most consultants assume GDPR is something that only applies to companies — proper businesses with compliance teams, IT departments, and legal counsel. If you're a sole trader, a freelance contractor, or an independent consultant working from home, you might think the regulation simply doesn't reach you.
It does. And the gap between what most consultants do and what GDPR requires is surprisingly large.
This guide covers everything you need to know: why GDPR applies to you personally, what data you hold, which lawful basis covers it, what your privacy notice needs to say, and how to handle the tools and software you use every day.
You Are a Data Controller
Under GDPR, if you decide why and how personal data is processed, you are a data controller. That definition applies regardless of your legal structure. You don't need to be a limited company. You don't need to have employees. You don't need to turn over €50 million a year.
If you're a freelance marketing consultant with a client list in your CRM, you're a data controller. If you're an independent IT contractor keeping project notes in a cloud folder with client contacts in it, you're a data controller. If you're a sole-trader accountant sending invoices by email, you're a data controller.
Being a data controller means you have obligations: a lawful basis for each type of processing, a privacy notice, data security measures, retention limits, and the ability to respond to data subject access requests.
The good news is that for most consultants, compliance is manageable. You're not dealing with millions of records. Your processing is narrow and purposeful. But you do need to get the basics right.
What Data Do You Actually Hold?
Let's be concrete. As a consultant or contractor, you typically hold the following categories of personal data:
Client contact details — names, email addresses, phone numbers, job titles, LinkedIn profiles. You collected these to establish a working relationship.
Project files and deliverables — documents, spreadsheets, presentations, code repositories, design files. These may contain data about your client's customers, employees, or business operations.
Invoices and financial records — billing details, payment information, bank account numbers (yours and sometimes theirs), VAT numbers, transaction histories.
Email correspondence — your inbox contains a detailed record of every conversation with every client. Names, contact details, opinions, decisions, sensitive business information.
Meeting notes and call recordings — notes from discovery calls, project kick-offs, client interviews. If you record calls (Zoom, Teams, etc.), those recordings contain personal data.
Prospect and lead information — people who enquired but never became clients. Business cards collected at events. LinkedIn connection data you've noted somewhere.
Subcontractor details — if you work with other freelancers, you hold their personal data too.
All of this is personal data to the extent it relates to identified or identifiable individuals. Client company names aren't personal data, but the person at the company is.
Lawful Basis for Each Type
GDPR requires you to have a lawful basis before you process any personal data. For consultants, most processing falls under one of two bases:
Contract (Article 6(1)(b)) — processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at their request prior to entering into a contract.
This covers: client contact details used to deliver work, invoicing data, project files you need to do the job, email correspondence about the engagement. The contract — your services agreement, statement of work, or even an informal email exchange confirming the engagement — is your lawful basis for the bulk of what you process.
Legitimate interests (Article 6(1)(f)) — processing is necessary for your legitimate interests (or those of a third party), provided those interests aren't overridden by the individual's rights and freedoms.
This covers: keeping records of former clients for your own business purposes, following up on prospects, maintaining a contacts list of people you've worked with for future opportunities. You need to be able to demonstrate that your interest is genuine, that the processing is necessary, and that you've considered the impact on the individual.
Legal obligation (Article 6(1)(c)) — processing is required by law.
This covers: retaining invoices and financial records for tax purposes. HMRC requires you to keep records for at least 5 years (6 years if you're VAT registered). This legal obligation overrides any request from a client to delete their data from your accounting records.
What you probably can't rely on: consent is rarely the right basis for existing client relationships. You don't need consent to process data you need to deliver contracted services. Using consent where contract or legitimate interests is appropriate creates complications (people can withdraw consent, which makes it awkward when you still need the data to do the job).
Do You Need a Privacy Notice on Your Website?
Yes — if you have a website that collects any personal data, you need a privacy notice. But the obligation goes further than that.
GDPR's transparency requirements (Articles 13 and 14) require you to provide privacy information to data subjects at the time you collect their data (or, if data wasn't collected directly from them, within a reasonable timeframe). This applies even if you don't have a website.
What your privacy notice must cover:
- Who you are and how to contact you (as the data controller)
- What data you collect and why
- The lawful basis for each type of processing
- Who you share data with (including your software providers)
- How long you keep data
- Data subjects' rights (access, rectification, erasure, portability, objection)
- The right to lodge a complaint with a supervisory authority (the ICO in the UK, or the relevant DPA in your EU country)
For most independent consultants, a one-page privacy notice on your website covers the website-related processing. You should also consider having a brief privacy notice that you send to new clients as part of your onboarding — covering how you'll handle their personal data during the engagement.
Want to check whether your website is already collecting more data than you think? Scan your site free at Custodia — it takes 60 seconds and shows you every tracker and cookie in action.
When You Handle Data About Your Clients' Customers
Here's where it gets more nuanced. Many consultants don't just handle data about their clients — they handle data about their clients' customers, employees, or users.
If you're a freelance developer building a web app that processes customer records, you're likely acting as a data processor for your client. If you're a marketing consultant who has been given access to a client's CRM to run campaigns, you're processing their customers' data on their behalf.
In these scenarios:
- Your client is the data controller
- You are the data processor
- GDPR requires a Data Processing Agreement (DPA) between you
A DPA sets out: what data you process, for what purpose, for how long, what security measures you apply, how you handle data subject requests, your sub-processing obligations, and what happens to the data when the engagement ends.
Many consultants never sign DPAs. This is a compliance gap — for you and your client. If your client is GDPR-aware, they should be requiring one. If they're not asking, you should be offering one. It protects both parties and demonstrates professionalism.
If you use any sub-processors yourself (more on that below), you need to ensure your client's DPA allows this, or obtain separate authorisation.
Your Tools Are Data Processors — and You Need DPAs
Every cloud tool you use to process client personal data is acting as a data processor on your behalf. Under GDPR, you need a Data Processing Agreement with each of them.
Here's the practical reality for most consultants:
CRM software (HubSpot, Pipedrive, Notion databases, even a Google Sheet shared with client contacts) — holds personal data, needs a DPA.
Invoicing software (FreeAgent, QuickBooks, Xero, Wave) — holds client financial and contact data. All major providers have DPAs available in their terms of service or on request.
Cloud storage (Google Drive, Dropbox, OneDrive, iCloud) — if you store project files with personal data here, this is your data processor. Check whether you've accepted their DPA terms (usually embedded in enterprise or business account terms).
Email (Gmail, Outlook, ProtonMail) — your email provider processes all the personal data in your inbox. Google and Microsoft both provide DPAs. Personal Gmail accounts are governed by consumer terms, not a DPA — if you're running a business, use a Google Workspace account.
Video conferencing (Zoom, Teams, Google Meet) — if you record calls, the provider stores that recording. Review their data processing terms.
Project management (Asana, Trello, ClickUp, Basecamp) — if you add client names, contact details, or project information here, it's personal data being processed by your tool.
The practical step: for each tool you use, find their Data Processing Addendum (usually in your account settings, or linked from their privacy policy), and accept it. Most major providers have made this self-serve. For smaller tools that don't offer a DPA, consider whether the data you store there is truly personal, and whether you could use an alternative.
Data Security as a Solo Operator
GDPR requires "appropriate technical and organisational measures" to protect personal data. For a solo consultant without an IT team, this translates into some straightforward practices:
Device security — use a password or PIN on all devices. Enable full-disk encryption (FileVault on Mac, BitLocker on Windows). Enable remote wipe so you can erase a lost laptop.
Strong passwords and a password manager — use a password manager (1Password, Bitwarden, Dashlane). Use unique, strong passwords for every service. Enable two-factor authentication on everything that matters: email, cloud storage, CRM, invoicing software.
Secure file sharing — don't email sensitive documents as unprotected attachments. Use encrypted file sharing (your cloud storage's share links with expiry, or a service like ShareFile). Never send passwords or sensitive credentials over email.
Wi-Fi hygiene — don't work with sensitive client data on public Wi-Fi without a VPN. If you regularly work from cafes or co-working spaces, a VPN is worth the small monthly cost.
Backups — maintain encrypted backups of important client data. A hardware failure that destroys client files is also a data incident you may need to report.
Clear desk / clear screen — if you work from home with household members around, be mindful of visible screens when working on sensitive client data.
You're unlikely to need to report a breach to a supervisory authority unless there's a real risk to individuals. But if you lose a device containing unencrypted client data, or your email account is compromised, those are incidents you should assess and potentially report within 72 hours.
How Long Should You Keep Client Files?
GDPR's storage limitation principle says you shouldn't keep personal data longer than necessary for the purpose it was collected for. But "necessary" isn't always obvious for consultants.
A practical framework:
Financial records and invoices — keep for as long as your tax obligations require. HMRC: 5 years from the 31 January self-assessment deadline for the relevant tax year (effectively up to 6 years). If you're VAT registered: 6 years. These are legal obligations that take precedence over any deletion request.
Project files and deliverables — a reasonable retention period is the length of the engagement plus a period for warranty/disputes (typically 6–12 months after project close). After that, consider whether you have a legitimate interest in retaining them (e.g., for portfolio purposes, but you should anonymise rather than keep full client data).
Client contact details — if a client relationship is genuinely dormant (no contact for 2–3 years, no ongoing relationship), consider whether you still have a legitimate basis for keeping their data active in your CRM.
Meeting notes — time-limited to the project. Notes with personal data about third parties (your client's colleagues, end users) should be deleted when no longer needed.
Prospect data — if someone enquired and never became a client, your legitimate interest in retaining their data diminishes over time. Consider a 12-month policy: if no engagement, delete or anonymise.
Document your retention decisions. A simple one-page data retention schedule is sufficient for most consultants.
Handling Data Subject Access Requests from Former Clients
Under GDPR, any individual whose personal data you hold can submit a Subject Access Request (SAR) asking for a copy of that data. This includes former clients.
You have one calendar month to respond. No charge can be made (unless the request is manifestly unfounded or excessive).
What you must provide:
- Confirmation that you process their data
- A copy of the personal data you hold
- Information about why you hold it, how long you'll keep it, who you share it with, and their rights
What "all the data you hold" actually means:
This is often where consultants underestimate the scope. It's not just the active client file. It's emails mentioning them by name, meeting notes, any messages in your project management tools, their details in your invoicing software, their contact record in your CRM, any notes you made during sales calls.
Practical steps:
Know where your data lives. Before you get a SAR, map out your systems (email, CRM, invoicing, cloud storage, project tools) so you can respond efficiently. A response is harder to compile if you've never thought about where everything is.
If you've already deleted data in line with your retention policy, say so. You're not required to produce data you've legitimately deleted.
Some data may be exempt — for example, information covered by legal professional privilege, or data relating to third parties that can't be separated from the subject's data without identifying those third parties.
If you receive a SAR from a former client who you believe is using it in a dispute context, don't panic. The process is the same. Respond accurately and within the deadline.
Your GDPR Compliance Checklist as a Consultant
- [ ] Identified yourself as a data controller
- [ ] Listed the types of personal data you process and the lawful basis for each
- [ ] Published a privacy notice on your website (if you have one)
- [ ] Briefed new clients on how you handle their data (even a short paragraph in your engagement letter works)
- [ ] Signed DPAs with all cloud tools and software providers that process personal data on your behalf
- [ ] Have a DPA template ready to offer clients where you're processing their customers' data
- [ ] Applied appropriate security measures (device encryption, strong passwords, 2FA, VPN)
- [ ] Documented a data retention schedule
- [ ] Know how to respond to a data subject access request
None of this requires a lawyer or a dedicated compliance budget. It requires a few hours of honest assessment and some practical decisions.
If you want to start by understanding what your website is already collecting — cookies, trackers, third-party scripts — run a free Custodia scan. It gives you a clear picture of your digital data footprint in 60 seconds, with a generated privacy policy you can publish immediately.
This guide provides general information about GDPR compliance for independent consultants and sole traders. It does not constitute legal advice. Requirements vary based on your jurisdiction, the nature of your processing activities, and your supervisory authority's guidance. For advice specific to your situation, consult a qualified privacy professional or data protection lawyer.
Top comments (0)