GDPR for Freelancers: Client Data, ICO Registration and Solo Trader Compliance
How freelancers and self-employed sole traders can comply with GDPR covering ICO registration, client data handling, portfolio consent, invoicing records, and privacy policies.
Working as a freelancer puts you in an unusual compliance position. You are simultaneously a small business, a data processor working on behalf of clients, and potentially a data controller in your own right. GDPR applies to you even if you work alone from a spare bedroom with a single laptop.
This guide covers everything solo traders and self-employed freelancers need to know about data protection: from ICO registration to handling a subject access request as a one-person operation.
Do Freelancers Need to Register with the ICO?
Yes — if you process personal data as part of your work, you almost certainly need to pay the data protection fee to the Information Commissioner's Office (ICO).
The fee for most small businesses and sole traders is £40 per year (Tier 1). This is not optional. Failure to register when required can result in a fine of up to £4,350.
You need to register if you process personal data for any purpose other than purely personal use. As a freelancer, you will almost certainly be processing personal data: client names and contact details, invoicing information, email correspondence, social media followers if you manage accounts, website analytics if you run a site, and more.
You do not need to register if you only process data for staff administration (and you have no staff), accounts and records, or advertising your own business — but the moment you handle clients' customer data, manage a mailing list, or process any data beyond those narrow exemptions, registration is required.
Register at ico.org.uk/registration. It takes about ten minutes and renews annually.
Client Data on Your Laptop and Cloud Storage
When a client sends you a spreadsheet of their customer records, a list of email addresses, or access to their CRM, you become a data processor acting on their behalf. The client remains the data controller. This has practical implications.
On your laptop:
- Use full-disk encryption (FileVault on Mac, BitLocker on Windows). Both are built into modern operating systems and cost nothing.
- Password-protect the device with a strong password, not a four-digit PIN.
- Set your screen to auto-lock after a short period.
- Consider whether you actually need to download the data locally, or whether you can work in the client's own systems.
In cloud storage:
- Google Drive, Dropbox, and OneDrive are acceptable if configured correctly, but check your client's instructions — some clients will prohibit certain cloud providers.
- Enable two-factor authentication on your cloud storage accounts.
- Do not store client data in personal folders mixed with your own files. Keep client data clearly separated and delete it once your engagement ends.
Retention:
When a project is complete, delete client data you no longer need. Do not keep indefinite archives of old client files containing personal data. Your Data Processing Agreement (more on that below) should specify how long you retain data and confirm you will delete or return it on request.
Sending Client Data Over Email and WeTransfer
Email is not inherently secure. Sending a file containing personal data — a customer list, HR records, patient data — over standard unencrypted email carries risk.
For routine professional correspondence, email is generally acceptable, but for sensitive or large volumes of personal data:
- Use encrypted email (ProtonMail, or S/MIME encryption on Outlook/Gmail)
- Use the client's secure file transfer system if they have one
- If using WeTransfer, use WeTransfer Pro which offers password-protected links and automatic expiry. Standard WeTransfer generates publicly accessible links.
- Avoid sending personal data in the body of emails — attach it as a file rather than pasting names and addresses into the email body
When you send personal data on behalf of a client, the data breach responsibility is shared. If you accidentally send a file to the wrong recipient, that is a breach you are obligated to report to your client immediately.
Using Client Data to Do the Work vs. Your Own Marketing
This is a boundary freelancers sometimes blur accidentally.
Permitted: Using client data to perform the service you were hired to provide. If you are a copywriter working on their email campaigns, you can access their subscriber list for that purpose. If you are a web designer, you can access their analytics data to improve the site.
Not permitted: Using client data for your own marketing purposes. If a client gives you access to their customer database as part of a project, you cannot add those customers to your own mailing list, contact them for referrals, or use that data for anything beyond the specific engagement.
This applies even if you feel confident the client would not mind. You need explicit permission to use data for any purpose beyond the original stated purpose. This is the GDPR principle of purpose limitation.
Portfolio Use of Client Work and Consent
Using client work in your portfolio is a common freelancer practice that can create GDPR issues if done carelessly.
If the portfolio piece contains personal data — for example, a screenshot of a website with real user comments, a case study that identifies individuals, or a design that includes real client customer names — you need consent or a legitimate basis to display it.
Best practice:
- Anonymise case studies before publishing them
- Get explicit written permission from clients before featuring their work publicly
- If the work involves end-user data (customer testimonials, user research outputs), ensure those individuals have also consented
- Never publish screenshots that contain other people's personal information without their knowledge
A signed client contract should ideally include a clause specifying whether you can feature the work in your portfolio and under what conditions.
Invoicing Data and Retention (HMRC's 7-Year Rule)
HMRC requires sole traders to keep business records for at least 5 years after the 31 January submission deadline for the relevant tax year — which in practice means keeping records for roughly 5 to 7 years.
This creates a GDPR tension: GDPR says you should not keep personal data longer than necessary, but tax law requires you to keep financial records.
The resolution is straightforward: legal obligation is a valid lawful basis under GDPR Article 6(1)(c). You are permitted to retain invoicing data containing names and addresses for as long as HMRC requires. You do not need consent for this.
However, once the HMRC retention period expires, you should delete the records. And invoicing data should only be used for financial and tax purposes — not for marketing or any other purpose.
Store your invoices securely. If you use cloud accounting software (Xero, FreeAgent, QuickBooks), ensure you have reviewed their data processing terms. These platforms are data processors acting on your behalf.
Testimonials and Consent
Testimonials are personal data. A name, job title, company, and quote from a client constitutes personal data under GDPR.
Before publishing a testimonial on your website:
- Get explicit written consent from the client (an email saying "yes you can use this" is sufficient)
- Specify exactly what information you will publish — name, company, their quote
- If the person later withdraws consent, remove the testimonial
- Do not republish testimonials on platforms they have not consented to
A short email asking "May I use your feedback as a testimonial on my website, including your name and company?" and getting an affirmative reply creates a clear consent record. Keep that email.
LinkedIn Prospecting and PECR
Cold outreach on LinkedIn sits at the intersection of GDPR and the Privacy and Electronic Communications Regulations (PECR).
PECR restricts unsolicited electronic marketing messages to individuals. However, LinkedIn InMail and connection requests to people in their professional capacity occupy a grey area — they are generally treated as business-to-business communications rather than direct marketing to consumers.
That said:
- You must have a legitimate business reason for contacting someone
- Your message must be relevant to their professional role
- You cannot harvest LinkedIn profiles into a database for mass-marketing purposes without a lawful basis
- If someone asks you not to contact them, you must stop immediately and record that preference
For email outreach to business contacts, PECR requires you to offer an opt-out in every marketing email and to honour opt-outs promptly.
Custodia's compliance tools can help you understand your obligations around email marketing and data collection if you run your own freelance website with a newsletter or contact form.
Working from Coffee Shops and Public Wi-Fi
Public Wi-Fi creates genuine security risks for freelancers handling personal data.
The risks:
- Man-in-the-middle attacks can intercept unencrypted traffic
- Other users on the same network can potentially see your traffic
- Shoulder-surfing — people physically seeing your screen
Practical mitigations:
- Use a VPN whenever connecting on public Wi-Fi. Reputable providers include ProtonVPN, Mullvad, and NordVPN.
- Ensure websites you access use HTTPS (the padlock icon in the browser)
- Use a privacy screen filter if working in public with sensitive data
- Avoid accessing particularly sensitive client data (healthcare, financial records) in public spaces
If you regularly work from cafes, co-working spaces, or other shared environments, document this in your risk assessment and implement appropriate controls.
Subcontracting and Sub-Processor Obligations
When you subcontract work to another freelancer or service — a virtual assistant, a developer, a bookkeeper — and that subcontractor will have access to personal data you are processing on behalf of a client, you are introducing a sub-processor.
GDPR requires that:
- Your original client contract permits you to engage sub-processors (or you get specific approval)
- You have a Data Processing Agreement (DPA) in place with the sub-processor
- The sub-processor provides sufficient guarantees of GDPR compliance
- You remain liable to the client for the sub-processor's compliance
In practice: before giving a virtual assistant access to a client's email account, CRM, or customer database, check your contract with the client, sign a DPA with the VA, and document the arrangement.
Many freelancers overlook this, but it is a genuine compliance gap. If a sub-contractor you engaged suffers a data breach involving your client's data, you will need to report it.
Data Breaches When You're a One-Person Business
A data breach is not just a hacker stealing millions of records. For freelancers, common breaches include:
- Sending an email with personal data to the wrong recipient
- Losing a laptop or USB drive containing client data
- Having your cloud storage account compromised
- A client file being accidentally shared publicly
Your obligations if a breach occurs:
First, assess the risk. Not every breach requires reporting to the ICO. You must report if the breach is likely to result in a risk to the rights and freedoms of individuals. If you accidentally email one client's invoice to a different client, assess: could this cause harm? Usually yes — it reveals commercial information and personal data.
Report to the ICO within 72 hours if the breach meets the threshold. You can report at ico.org.uk/make-a-complaint.
Notify affected clients immediately regardless of whether you report to the ICO. They may have their own notification obligations to fulfil.
Keep a breach log — even if you decide not to report. Document what happened, what data was involved, the likely consequences, and what you did to address it. This demonstrates accountability.
Subject Access Requests
Any individual whose personal data you hold can submit a Subject Access Request (SAR), asking you to provide a copy of all personal data you hold about them.
As a freelancer, you might receive a SAR from:
- A former client asking what information you hold about them
- An individual whose data you processed as part of client work
- A subscriber to your mailing list
Your obligations:
- Respond within one calendar month
- Provide a copy of all personal data you hold about them
- You can charge a fee only in limited circumstances (if the request is manifestly unfounded or excessive)
- You cannot withhold information just because it is inconvenient
Practically: search your email, cloud storage, accounting software, and any other systems where you might hold data about the person. Compile a clear response.
If the request relates to data you processed on behalf of a client (not as your own controller), you should refer the person to the client — you are the processor, not the controller in that case.
Privacy Policy for Your Freelance Website
If you have a website — even a simple portfolio site with a contact form — you need a privacy policy.
Your privacy policy must cover:
- Who you are and how to contact you
- What personal data you collect (contact form submissions, analytics data, cookies)
- Why you collect it (legitimate interest, contract performance, consent)
- How long you keep it
- Who you share it with (email hosting provider, analytics platform)
- The rights of website visitors (access, erasure, objection)
Cookie consent: If your site uses Google Analytics, Facebook Pixel, or similar tracking, you need a cookie consent banner that gets active consent before those scripts load.
Many freelancers run sites that collect personal data through contact forms and analytics but have no privacy policy. This is a compliance failure that is easily fixed.
You can use Custodia to scan your freelance website and identify exactly what data your site is collecting, what cookies and trackers are active, and what your privacy policy needs to say. Scan free at https://app.custodia-privacy.com/scan.
Practical Solo Trader GDPR Compliance Checklist
Use this checklist to audit your compliance as a freelancer:
ICO Registration
- [ ] Registered with the ICO and paying annual fee (£40/year Tier 1)
- [ ] Registration renewed annually
Data You Hold
- [ ] Audit completed: know what personal data you hold and why
- [ ] Client data clearly separated and labelled
- [ ] Retention periods defined for different data types
- [ ] Old/unnecessary data deleted
Security
- [ ] Full-disk encryption enabled on all devices
- [ ] Strong passwords and two-factor authentication on all accounts
- [ ] VPN used on public Wi-Fi
- [ ] Password manager in use
Client Contracts
- [ ] Data Processing Agreement (DPA) signed with clients where you process their data
- [ ] Portfolio use terms agreed in contracts
- [ ] Sub-processor obligations covered if you subcontract
Your Website
- [ ] Privacy policy published and accurate
- [ ] Cookie consent banner implemented (if using tracking)
- [ ] Contact form data handled in accordance with privacy policy
Ongoing Operations
- [ ] Testimonial consent obtained in writing
- [ ] Breach log maintained
- [ ] Process defined for handling SARs within one month
- [ ] ICO registration renewal date diarised
Marketing
- [ ] Mailing list built on consent (not scraped or purchased)
- [ ] Unsubscribe mechanism working in all emails
- [ ] Opt-outs honoured promptly
Getting Started
GDPR compliance as a freelancer is achievable without a legal team or expensive software. Start with the fundamentals: ICO registration, a DPA template for client projects, encryption on your devices, and a privacy policy for your website.
If you want to understand exactly what your freelance website is collecting and sending to third parties, run a free scan with Custodia. The scan takes 60 seconds and identifies trackers, cookies, and compliance gaps so you know exactly what needs addressing.
Scan your freelance website free: https://app.custodia-privacy.com/scan
This article is for informational purposes and does not constitute legal advice. For complex compliance questions, consult a qualified privacy lawyer or data protection consultant.
Top comments (0)