HR consultants occupy a uniquely exposed position under data protection law. You routinely handle personal data belonging to your clients's employees — people who have no direct relationship with you, who did not choose to share their data with an external consultant, and who may not even know you exist. Add to that the sensitive nature of HR data — disciplinary records, health information, redundancy lists, whistleblower reports — and you have a data processing profile that regulators take seriously.
This guide covers everything freelance HR consultants and HR advisory firms need to know about GDPR compliance: why you are classified as a high-risk processor, how the controller/processor relationship works, what special category data rules apply, and how to handle specific HR scenarios from TUPE transfers to whistleblower investigations.
Why HR Consultants Are High-Risk Data Processors
Most professional service providers process their own clients's personal data. Accountants hold client financial records; solicitors hold client case files. HR consultants are different. You process personal data about other people — employees and workers who belong to your client's organisation, not yours.
This creates a distinctive risk profile:
- Volume: An engagement at a mid-sized business might expose you to data on hundreds or thousands of employees
- Sensitivity: HR data routinely includes health information, disciplinary history, performance issues, personal grievances, and trade union membership — all of which attract heightened protection
- Ongoing access: Unlike a one-off audit, HR consultancy often involves extended access to live HR systems, email inboxes, and personnel files
- Third-party expectations: Employees expect their employer to handle their data — they have no relationship with you and cannot easily exercise their data rights against you
The UK ICO and EU supervisory authorities both identify HR data as an area warranting careful compliance. If you are processing data on behalf of a client's workforce without documented legal authority and proper safeguards, you are exposed.
The Controller/Processor Distinction: Who Is Responsible for What?
This is the foundational question, and getting it wrong causes real legal problems.
Your client is almost always the controller. They determine the purposes and means of processing — why employee data is collected, what it is used for, how long it is kept. An HR consultant engaged to support a disciplinary process, manage a redundancy consultation, or advise on employment law is not deciding those things independently.
You are almost always a processor. You process personal data on the controller's behalf, in accordance with their instructions, for their purposes.
Data Processing Agreements Are Mandatory
Under Article 28 GDPR, when a controller uses a processor, they must enter into a written Data Processing Agreement (DPA). This is not optional and not something to leave to a future date. If you are engaged as a processor and there is no DPA in place, both you and your client are in breach.
A compliant DPA must cover:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The types of personal data and categories of data subjects involved
- Your obligations and rights as processor, including security requirements
- Restrictions on subprocessing (e.g., if you use a third-party analytics or HR platform)
- Assistance obligations (helping the controller respond to DSARs, notifying data breaches)
- Return or deletion of data at the end of the engagement
Many HR consultants operate without DPAs because clients do not request them and consultants do not know to raise them. Make it standard practice to have a DPA in place before accessing any employee data.
Employee Data as Special Category Data
Not all HR data is equal under GDPR. Article 9 creates a heightened protection category for data that is particularly sensitive. For HR consultants, the most relevant special categories are:
- Health data: Sickness records, medical certificates, occupational health reports, reasonable adjustments documentation, mental health disclosures
- Trade union membership: Whether an employee is a union member or has been involved in union activity
- Disciplinary data relating to criminal offences: Gross misconduct allegations involving criminal behaviour are subject to both Article 9 and Article 10 restrictions
Processing special category data requires not only a lawful basis under Article 6 but also a separate condition under Article 9. For employment-related processing, Article 9(2)(b) — processing necessary for carrying out obligations in the field of employment law — is most commonly applicable.
Conducting HR Investigations and Data Handling
HR investigations — disciplinary, grievance, or harassment — are among the highest-risk processing activities an HR consultant will be involved in.
During an investigation you may access:
- Employee emails and messages
- Witness statements containing sensitive personal disclosures
- CCTV footage or access logs
- Health information relevant to the alleged conduct
- The subject's personnel file and disciplinary history
Key GDPR principles:
- Data minimisation: Only access data you genuinely need
- Confidentiality: Investigation documents must be handled securely
- Retention: Define a retention period — investigation files should not sit indefinitely in shared drives
- Data subject rights: The subject can submit a Subject Access Request; advise clients on exemptions that may apply
Accessing HR Systems on Behalf of Clients
Many HR consultants are given access to clients's HR systems — Workday, BambooHR, HiBob, Sage HR. Best practices:
- Use a named personal account rather than shared credentials
- Limit access to modules and data fields necessary for your engagement
- Do not download bulk employee data to personal devices or unsecured cloud storage
- Request that your access is revoked at the end of each engagement
Redundancy Consultations and the Data Involved
Collective and individual redundancy consultations generate significant volumes of personal data:
- Selection pool employee lists with scoring against objective criteria
- Individual consultation meeting notes
- Employees's contractual terms, length of service, and pay information
- Health information disclosed during consultation
- Trade union or employee representative correspondence
Redundancy scores are personal data likely to be sought in any subsequent Employment Tribunal claim. Keep accurate records with a clear retention schedule — typically at least 12 months after the process concludes.
TUPE Transfers and Employee Data
TUPE (Transfer of Undertakings (Protection of Employment)) regulations require information about transferring employees to be provided to the incoming employer before the transfer. Key points:
- Only transfer data genuinely necessary under TUPE — not the entire HR record
- Ensure employees are informed via a TUPE letter that includes a data protection notice
- Ensure the transferee has appropriate data protection safeguards before sharing data
- Special category data (health, disability) should only transfer if directly relevant
Whistleblower Complaint Data and Confidentiality
Whistleblowing investigations involve particularly sensitive data handling tensions:
- The whistleblower expects confidentiality
- The subject of the complaint has GDPR rights, potentially including access to information held about them
- The investigation may need to be disclosed in litigation
Handle whistleblower data by:
- Keeping investigation files strictly access-controlled
- Storing whistleblower identity separately from the substance of the complaint
- Applying the balancing test for third-party information carefully in SAR responses
- Establishing a clear retention and destruction schedule once the investigation concludes
Your Own Business Data
Beyond client engagements, you process personal data in running your consultancy:
- Contacts and prospects: Need a lawful basis (legitimate interests usually applies for B2B contacts)
- Client records: Contact details of individuals at client organisations
- Invoicing and accounts: Covered by legal obligation basis
- Candidates: If you place candidates, they have full data subject rights against you
- Employees/subcontractors: You have employment data obligations yourself
Ensure your own privacy notice accurately reflects all this processing.
GDPR Compliance Checklist for HR Consultants
Processor obligations:
- [ ] DPA in place with every client before accessing employee data
- [ ] DPA covers special categories (health, trade union)
- [ ] Subprocessing arrangements documented
- [ ] Data breach notification process in place
Data access and security:
- [ ] Named user accounts for all HR systems — no shared credentials
- [ ] Access limited to engagement scope
- [ ] Client data on encrypted storage, not personal email
- [ ] Process for secure deletion at end of engagement
Investigation and sensitive processing:
- [ ] Data minimisation approach documented
- [ ] Investigation document retention schedule agreed
- [ ] Whistleblower data access-controlled
- [ ] SAR exemptions understood
TUPE and transfers:
- [ ] Minimum necessary employee data transferred
- [ ] TUPE letter includes data protection notice
- [ ] Transferee safeguards verified
Your own business:
- [ ] Privacy notice covers your own processing
- [ ] ICO registration current
Next Steps
Even with strong internal processes, your client-facing website may be collecting data in ways that undermine your compliance position. Cookie banners, contact forms, analytics trackers, and embedded third-party scripts all process personal data — and if they are not properly disclosed and consented to, they create risk.
Scan your website free at Custodia — no signup required, results in 60 seconds. It identifies every tracker, cookie, and third-party script on your site and flags what needs to be addressed under GDPR.
This post provides general information about GDPR as it applies to HR consultants in the UK and EU. It does not constitute legal advice. Consult a qualified data protection solicitor for advice specific to your situation.
Top comments (0)