GDPR and IT consultants PI — UK 2026
IT consultants routinely process client personal data. Under UK GDPR and the Data Protection Act 2018, this creates distinct liability exposure — both from the ICO and from data subjects directly. Understanding what PI does and does not cover in this space is essential to structuring cover correctly.
The three-way exposure map
1. ICO enforcement
The Information Commissioner's Office can investigate and fine data controllers and processors. Fines under Article 83 GDPR reach 4% of worldwide turnover or €20m, whichever is higher. Under UK GDPR the fine ceiling is expressed in sterling but the practical maximum is comparable.
2. Data subject direct claims
Article 82 UK GDPR gives data subjects a direct right of compensation for both material and non-material damage. Since Lloyd v Google [2021] and subsequent Court of Appeal decisions, purely-non-material damages claims must show more than mere distress.
3. Client-brought claims
Where a consultant's data-handling error causes the client (as data controller) to face ICO or subject claims, the client can pursue the consultant on breach-of-contract or negligence grounds. This is the standard PI trigger.
Data controller vs data processor status
Consultant as data processor
Where the consultant handles client data purely on the client's instructions, the consultant is a data processor under Article 4(8) GDPR. Data processors have specific obligations under Article 28 GDPR (data processing agreements, sub-processor rules, security measures).
Consultant as data controller
Where the consultant determines the purpose and means of data processing for own purposes (analytics, benchmarking, product development), the consultant becomes a data controller. Full GDPR obligations apply including breach notification and DPO requirements.
Joint controllers — the messy middle
Where the consultant and client jointly determine purposes and means, both are joint controllers. Article 26 GDPR imposes specific transparency and accountability requirements.
What PI covers vs what it doesn't
PI typically covers
Third-party claims from data subjects and clients arising from the consultant's negligent handling of data. Defence costs. Notification and remediation costs where the wording specifies.
PI typically does NOT cover
The consultant's own ICO fines (uninsurable under section 148 Financial Services Act and the general uninsurability of regulatory penalties). First-party costs of forensic investigation, notification, and breach response (cyber territory).
The cyber-PI overlap
Cyber insurance covers the first-party costs PI doesn't: forensic investigation, ICO regulatory-defence costs (where legally permissible), notification, credit-monitoring services, business interruption from the breach.
Consultants handling material personal data typically need both PI and cyber cover; they respond to different aspects of the same event.
Common failure modes
- Undocumented data-processor status — if the consultant is processing personal data on client instructions and there's no DPA in place, the consultant may inherit controller-level obligations.
- Sub-processor chain gaps — consultant uses third-party services (AWS, SaaS tools) without proper sub-processor arrangements.
- Retention beyond client instruction — keeping client data for own analytical purposes without lawful basis.
- Notification failure — 72-hour breach notification obligations under Article 33 GDPR.