IT consultant PI · Deep dive

GDPR and IT consultants PI — UK 2026

Reviewed by Matthew Bartlett, Director, Apex Insurance Brokers Limited (FCA FRN 724952) · Published 14 July 2026

IT consultants routinely process client personal data. Under UK GDPR and the Data Protection Act 2018, this creates distinct liability exposure — both from the ICO and from data subjects directly. Understanding what PI does and does not cover in this space is essential to structuring cover correctly.

The three-way exposure map

1. ICO enforcement

The Information Commissioner's Office can investigate and fine data controllers and processors. Fines under Article 83 GDPR reach 4% of worldwide turnover or €20m, whichever is higher. Under UK GDPR the fine ceiling is expressed in sterling but the practical maximum is comparable.

2. Data subject direct claims

Article 82 UK GDPR gives data subjects a direct right of compensation for both material and non-material damage. Since Lloyd v Google [2021] and subsequent Court of Appeal decisions, purely-non-material damages claims must show more than mere distress.

3. Client-brought claims

Where a consultant's data-handling error causes the client (as data controller) to face ICO or subject claims, the client can pursue the consultant on breach-of-contract or negligence grounds. This is the standard PI trigger.

Data controller vs data processor status

Consultant as data processor

Where the consultant handles client data purely on the client's instructions, the consultant is a data processor under Article 4(8) GDPR. Data processors have specific obligations under Article 28 GDPR (data processing agreements, sub-processor rules, security measures).

Consultant as data controller

Where the consultant determines the purpose and means of data processing for own purposes (analytics, benchmarking, product development), the consultant becomes a data controller. Full GDPR obligations apply including breach notification and DPO requirements.

Joint controllers — the messy middle

Where the consultant and client jointly determine purposes and means, both are joint controllers. Article 26 GDPR imposes specific transparency and accountability requirements.

What PI covers vs what it doesn't

PI typically covers

Third-party claims from data subjects and clients arising from the consultant's negligent handling of data. Defence costs. Notification and remediation costs where the wording specifies.

PI typically does NOT cover

The consultant's own ICO fines (uninsurable under section 148 Financial Services Act and the general uninsurability of regulatory penalties). First-party costs of forensic investigation, notification, and breach response (cyber territory).

The cyber-PI overlap

Cyber insurance covers the first-party costs PI doesn't: forensic investigation, ICO regulatory-defence costs (where legally permissible), notification, credit-monitoring services, business interruption from the breach.

Consultants handling material personal data typically need both PI and cyber cover; they respond to different aspects of the same event.

Common failure modes

  1. Undocumented data-processor status — if the consultant is processing personal data on client instructions and there's no DPA in place, the consultant may inherit controller-level obligations.
  2. Sub-processor chain gaps — consultant uses third-party services (AWS, SaaS tools) without proper sub-processor arrangements.
  3. Retention beyond client instruction — keeping client data for own analytical purposes without lawful basis.
  4. Notification failure — 72-hour breach notification obligations under Article 33 GDPR.

Frequently asked

Does PI cover ICO fines?
No. Regulatory fines are uninsurable in the UK. PI covers third-party claims from data subjects and clients but not the consultant's own regulatory fines.
Do I need cyber insurance as well as PI?
Typically yes. PI covers third-party liability claims. Cyber covers first-party breach-response costs (forensic, notification, remediation, business interruption). Different products, different triggers.
Am I a data processor or controller?
Depends on whose instructions determine the purpose of processing. If purely on client instructions: processor. If determining own purposes: controller. Some scenarios create joint controller status.
What about DPO (Data Protection Officer) obligations?
Under Article 37 UK GDPR, DPO is required for public authorities and firms with large-scale monitoring or sensitive data. Most small IT consultancies don't require DPO but should document the assessment.
What limit should IT consultants carry for GDPR exposure?
Depends on data-volume and sensitivity handled. Modest data handling: £1m PI + £1m cyber. Large-volume personal data: £2m+ PI + £5m+ cyber.

Related reading