DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for IT Consultants: Data Processor Obligations, Client Systems Access, and Security Requirements

#gdpr #privacy #devops #compliance

IT consultants and managed service providers (MSPs) occupy a unique and legally significant position under GDPR. When you access client systems that contain personal data — employee records, customer databases, CRM data, financial information — you are acting as a data processor. That single classification changes everything about your legal obligations.

This guide covers what GDPR means in practice for IT consultants and MSPs: the mandatory agreements you need, the security measures Article 32 demands, how to handle incident response as a processor, and how to manage your own supply chain of sub-processors. It also covers the often-overlooked marketing and disposal obligations that catch IT businesses out.

You Are a Data Processor — and That Has Real Legal Consequences

Under GDPR, a data controller is the organisation that determines the purposes and means of processing personal data. A data processor is any party that processes personal data on behalf of a controller.

When you remotely access a client's server to perform maintenance, when you restore a client's backup containing employee payroll data, or when you manage a client's Microsoft 365 environment that holds thousands of customer email addresses — you are processing personal data on that client's behalf. You are their data processor.

This is not a technicality. As a processor, you have direct legal obligations under GDPR Articles 28, 29, and 32. You can be fined directly by data protection authorities. The client cannot fully indemnify you from regulatory liability — only from their own civil claims.

Mandatory Data Processing Agreements with Every Client

Article 28 GDPR requires a written contract — a Data Processing Agreement (DPA) — between every controller (your client) and processor (you) before any processing begins. Without a DPA, both you and your client are in breach of GDPR.

Your DPA must specify:

  • The subject matter, duration, nature, and purpose of the processing
  • The type of personal data being processed and the categories of data subjects
  • The obligations and rights of the controller
  • Your obligations as processor, including confidentiality, security measures, and instructions compliance
  • Conditions for engaging sub-processors
  • Assistance obligations for data subject rights requests and breach notification

Many IT consultants assume a standard services contract is enough. It is not. The DPA is a separate, additional requirement. If you do not have signed DPAs with every client whose systems you access, address this immediately. Template DPAs are available from ICO (UK) and the European Data Protection Board (EU), but they require customisation to reflect your actual service.

Custodia can help you identify what personal data flows exist on client-facing systems and generate privacy documentation that reflects real-world processing activities.

Article 32 Security Requirements for IT Service Providers

Article 32 GDPR requires processors to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. For IT consultants, this is not abstract — you are frequently the person responsible for implementing these measures on client systems, and you must apply the same standard to how you access and handle that data yourself.

Article 32 specifically references:

  • Pseudonymisation and encryption of personal data
  • The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • The ability to restore availability and access to personal data in a timely manner following an incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures

In practice, this means:

  • Encrypting data in transit and at rest when you handle client personal data
  • Maintaining secure, auditable access to client systems
  • Ensuring your own internal systems that store client data are properly secured
  • Having documented security policies and conducting regular reviews

The risk-based approach means the measures you take should be proportionate to the sensitivity of the data. A client whose systems hold special category health data requires more rigorous controls than a client whose systems hold only business contact information.

Remote Access to Client Systems and Audit Logging

Remote access tools — RMM platforms, VPNs, RDP, SSH, remote desktop software — are the daily tools of IT consultants. Under GDPR, every remote access session involving personal data should be logged and auditable.

This means maintaining records of:

  • Who accessed which system and when
  • What actions were performed during each session
  • What data was accessed or transferred

This creates a tension: audit logs themselves contain personal data (staff names, IP addresses, timestamps of their system activity). You need to retain logs long enough to demonstrate compliance and respond to security incidents, but GDPR's data minimisation principle means you should not retain them indefinitely.

A reasonable retention period for access logs is typically 6 to 12 months, balanced against your contractual and regulatory obligations. Document your rationale and apply it consistently.

Your DPA with each client should address logging requirements and access audit obligations specifically, so both parties understand the baseline.

Backup Systems and Encrypted Storage of Client Data

Backups are a core IT service — and they create significant data processor obligations. Client backups frequently contain personal data: employee records, payroll files, customer databases, email archives.

GDPR requires that:

  • Backup media (tapes, drives, cloud storage) containing personal data must be encrypted
  • Access to backup systems must be restricted to authorised personnel
  • You must be able to delete specific personal data from backups upon instruction from the controller (this is technically complex and should be addressed in your DPA)
  • Backup retention schedules must be agreed with clients and not exceeded

Many IT businesses hold client backups for years without reviewing whether the data retention period is still appropriate. This is a GDPR risk both for you and your clients. Build retention reviews into your service schedules.

Incident Response and Data Breach Notification as a Processor

Under Article 33 GDPR, a controller must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. As a processor, you must notify the controller without undue delay after becoming aware of a breach — meaning your notification must happen fast enough to give the controller a realistic chance of meeting their 72-hour deadline.

This creates a practical requirement: you need an incident response plan that includes a rapid notification chain to affected clients. Key elements:

  • A defined process for identifying and escalating suspected security incidents
  • Designated contacts at each client for breach notification
  • A template notification that captures what GDPR requires controllers to know: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed
  • Internal incident logs documenting your awareness timeline and notification actions

IT consultants who discover a breach on a client system — a ransomware attack, a misconfigured server exposing data, a stolen laptop — must treat notification to the client as an immediate priority, not something to investigate fully before mentioning.

Document every incident, even those that do not ultimately constitute reportable breaches. This audit trail demonstrates your compliance with processor obligations.

Supply Chain Risk: Your Sub-Processors Need DPAs Too

If you use third-party tools or services that process client personal data on your behalf, those vendors are your sub-processors. Article 28 requires that you obtain prior written authorisation from each controller before engaging sub-processors — and you must have a DPA with each sub-processor that imposes the same data protection obligations you carry.

Common sub-processors for IT consultants include:

  • Cloud hosting providers (AWS, Azure, Google Cloud) — if you host client workloads
  • RMM and PSA platforms (ConnectWise, Kaseya, NinjaRMM) — these access client endpoints and often store telemetry
  • Monitoring and alerting tools — if they process client system data in the cloud
  • Ticketing and help desk systems — if they contain client staff or customer data
  • Backup and DR services — if they store client data in their infrastructure

Most major vendors provide standard DPAs (sometimes called Data Processing Addenda) that you can execute online. But you need to actually execute them, maintain records of having done so, and inform your clients which sub-processors you use.

Many IT businesses are entirely unaware that they are in breach of Article 28 simply because they have never mapped their sub-processor relationships. This is an immediate compliance gap worth closing.

Data Minimisation When Doing Support Work

GDPR's data minimisation principle (Article 5(1)(c)) requires that personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."

When you are doing support work, this means:

  • Avoid opening files or databases containing personal data unless directly necessary for the task
  • Use anonymised or test data environments where possible for development and testing work
  • Do not copy client personal data to your own systems unless required — and if you do, delete it as soon as the task is complete
  • Train staff not to take screenshots or recordings that capture personal data during support sessions

This is easy to overlook when the immediate task is technical. A technician troubleshooting a database connection problem does not need to read the actual customer records in the database. Building this awareness into your team's working practices is both a GDPR requirement and a professional standard.

Employee Access Controls and the Principle of Least Privilege

Article 29 GDPR requires that persons acting under your authority — your employees and contractors — only process personal data on your instructions. The principle of least privilege underpins this: staff should only have access to the client systems and personal data necessary for their specific role.

In practice:

  • Use role-based access control for your RMM, PSA, and remote access tools
  • Ensure junior technicians cannot access client systems they are not assigned to
  • Review and revoke access promptly when staff leave or change roles
  • Log all access and review logs periodically
  • Require strong authentication — ideally MFA — for all access to client systems

Shared passwords, group accounts, and "everyone has admin" setups are not just security risks — they are GDPR compliance failures. You cannot demonstrate that processing occurred under controller instructions if you cannot trace which staff member performed which action.

BYOD Policies and Personal Device Security

If your technicians access client systems from personal devices, you have a BYOD (Bring Your Own Device) exposure under GDPR. Personal devices may lack encryption, may run outdated software, may be shared with family members, and are harder to wipe remotely if lost.

At minimum, your BYOD policy should require:

  • Device encryption (FileVault, BitLocker, or equivalent)
  • Screen lock with a strong PIN or password
  • Up-to-date OS and application patching
  • Prohibition on accessing client personal data from unsecured personal devices
  • Remote wipe capability enrolled before access is granted
  • Separation of business applications from personal ones

Document your BYOD policy and have staff acknowledge it in writing. If a technician's personal laptop is stolen and it had client system access credentials stored on it, you have a potential personal data breach — and you will need to demonstrate the controls you had in place.

GDPR Training for IT Staff Who Access Client Data

Article 29 requires that persons authorised to process personal data receive appropriate training. For IT staff who access client systems regularly, this is not optional.

Training should cover at minimum:

  • What GDPR is and why it applies to your work
  • What constitutes personal data and special category data
  • Data minimisation principles when conducting support work
  • How to recognise and report a suspected data breach
  • Password hygiene and secure remote access practices
  • The correct procedure for receiving and handling instructions from clients about their data

Training records should be kept. Annual refreshers are appropriate for most IT businesses, with additional training when significant incidents occur or regulations change.

Retaining Logs vs. Data Minimisation: The Practical Conflict

IT businesses face a genuine tension between two GDPR obligations: the need to retain audit logs to demonstrate compliance and investigate incidents, and the data minimisation principle that says you should not keep personal data longer than necessary.

There is no single right answer. The approach should be:

  1. Identify what logs you retain and what personal data they contain
  2. Define a retention period based on your legitimate purpose (security incident investigation, contractual audit obligations, regulatory requirements)
  3. Document your rationale
  4. Apply automated deletion or archiving at the end of the retention period
  5. Review periodically

For most IT businesses, 6 months is a reasonable baseline for routine access logs, with longer retention (12 months or more) for security-significant events. If you have clients in regulated industries, their sector requirements may override GDPR minimums — always take the more restrictive standard.

Marketing to SME Clients: PECR and Email Outreach

If you send marketing emails to prospective or existing SME clients in the UK, the Privacy and Electronic Communications Regulations (PECR) apply alongside GDPR.

For B2B marketing to sole traders and partnerships (who are treated as individuals under PECR), you need opt-in consent or a clear soft opt-in relationship. For marketing to limited companies and their staff in a business capacity, the rules are somewhat less strict — but you still need a legitimate interest basis and a clear opt-out mechanism.

Key rules:

  • Never purchase email lists without verifying the consent basis
  • Always include an unsubscribe link in every marketing email
  • Honour opt-out requests promptly (within 28 days, ideally immediately)
  • Do not make cold calls to numbers registered with the TPS without consent

Running a free website scan tool — like the one at https://app.custodia-privacy.com/scan — can be an effective lead generation approach that is PECR-friendly: prospects opt in by using the tool.

Disposing of Client Hardware Securely

When decommissioning client hardware — laptops, servers, network equipment, storage devices — you are handling assets that may contain personal data. Improper disposal is a data breach.

Your obligations:

  • Wipe storage devices using a certified method (NIST 800-88 guidelines, ADISA-certified tools, or physical destruction for high-sensitivity data)
  • Document the disposal: what was disposed of, when, by whom, and using what method
  • Obtain and retain certificates of destruction from third-party disposal services
  • Ensure that any third-party disposal company is subject to a DPA with you — they become a sub-processor handling the destruction of personal data

Factory resets and basic formatting do not constitute secure erasure. Data on improperly wiped drives can be recovered with freely available tools. This is an area where IT businesses that cut corners face real liability.

Getting Started: Practical Steps for IT Consultants

GDPR compliance for IT consultants and MSPs is achievable, but it requires deliberate action across several areas:

  1. Audit your current client relationships — identify every client whose systems you access and confirm whether you have a DPA in place
  2. Map your sub-processors — identify every vendor tool that touches client personal data and confirm DPAs are executed
  3. Review your access controls — implement MFA and role-based access if not already in place
  4. Document your security measures — create a written record of your Article 32 controls
  5. Create an incident response procedure — including your client notification chain
  6. Train your staff — and keep training records

A free website scan at https://app.custodia-privacy.com/scan will show you what trackers, cookies, and data flows are running on your own website — a useful starting point for understanding your own compliance posture before advising clients. Custodia also provides AI-powered tools to generate privacy notices, data processing agreements, and compliance documentation tailored to IT service businesses.

GDPR compliance is not a one-time project. For IT consultants who access client personal data daily, it is an ongoing operational responsibility — but one that, handled well, becomes a genuine differentiator in a competitive market.

Top comments (0)