IT consultants, GDPR and the ICO: professional indemnity implications

~5 min read

Reviewed by Matthew Bartlett, Director · Last reviewed 2026-07-06

Any IT consultant whose work involves processing personal data on behalf of a client sits within the scope of the UK General Data Protection Regulation and the Data Protection Act 2018. The consultant is typically a data processor acting on the client's instructions, while the client is the data controller. The relationship carries specific statutory obligations that flow through to PI exposure — obligations that did not exist in this form before UK GDPR took effect in 2018. This entry sets out how the GDPR framework applies to IT consultants, what the ICO can do about it, and how PI insurance responds to the resulting exposure.

Data processor obligations under UK GDPR

Under Article 28 of the UK GDPR, a data controller can only use a processor that provides sufficient guarantees to implement appropriate technical and organisational measures. The processor must be engaged under a written contract that binds the processor to specific obligations: processing only on the controller's documented instructions, ensuring confidentiality of personal data, taking appropriate security measures, assisting the controller with data subject rights requests, notifying breaches, and returning or deleting personal data at the end of the engagement.

Every IT consultant handling client personal data — hosting client systems, migrating client data, providing IT support with access to client-owned data, delivering software as a service — is a data processor under this framework. The Article 28 contract obligations are direct and non-negotiable in substance. Consultancies that operate without written processor contracts, or on contracts that do not meet Article 28 requirements, expose both themselves and their clients.

The consultant's direct liability

Before UK GDPR, data protection liability sat almost exclusively with the data controller. Processors were largely shielded. UK GDPR changed this. Article 82 provides that a processor can be directly liable for damage caused by processing that breaches the Regulation or acts outside lawful controller instructions. Data subjects can sue processors directly for compensation for material or non-material damage.

This means IT consultants are exposed to two categories of claim: claims from the client (typically indemnity claims where the client has been fined or sued and looks to the processor for recovery) and claims from data subjects directly (typically damage or distress claims where the data subject alleges the processor caused the harm).

ICO enforcement

The Information Commissioner's Office can enforce against processors as well as controllers. ICO enforcement tools include information notices, assessment notices, enforcement notices, and monetary penalty notices. The maximum monetary penalty under UK GDPR is the higher of £17.5 million or 4% of worldwide annual turnover for the most serious violations, and £8.7 million or 2% for other violations. In practice, ICO fines against processors have been less common than fines against controllers, but the risk is direct.

Alongside monetary penalties, the ICO can issue enforcement notices requiring specific remedial action — often with reputational and operational costs significantly exceeding the direct financial penalty. A consultancy issued a public ICO enforcement notice for data protection failings faces a materially harder market for future client acquisition.

Breach notification obligations

Article 33 requires processors to notify the controller "without undue delay" after becoming aware of a personal data breach. The controller then has 72 hours from awareness to notify the ICO where the breach is likely to result in risk to data subjects. The processor's notification window feeds directly into the controller's window.

Consultancies handling client data need clear internal breach detection and notification processes. A consultancy that detects a breach on Monday and notifies the client on Friday has effectively consumed the client's own 72-hour notification window before the client can begin its own response. The client's downstream loss — reputation, regulatory action, customer complaints — becomes the consultancy's PI exposure.

Where PII responds and where cyber insurance responds

The PII/cyber overlap discussed in the PI vs cyber insurance entry is particularly acute in the data protection context. A data breach caused by the consultant's professional failure gives rise to both a PI claim from the client (professional negligence causing loss) and a cyber event on the client's system (data breach requiring incident response). The two policies coordinate in practice: PII responds to third-party claims for damage; cyber insurance responds to first-party incident response costs.

A specific complication is the ICO fine. ICO fines are typically not insurable as a matter of UK public policy — an insurer cannot indemnify a party for statutory penalties. Consultancies fined by the ICO for their own regulatory failings bear the fine themselves. However, indemnity claims from the client where the client has been fined (and the consultant's negligence caused the fine) may be insurable under PI, subject to the specific wording and to whether the ICO's assessment against the client was properly a consequence of the consultant's failure.

Standard Contractual Clauses and international transfers

Where the IT consultant transfers client personal data outside the UK, additional obligations under Article 44-49 apply. Standard Contractual Clauses (in the UK-specific International Data Transfer Agreement or the EU SCCs plus UK Addendum) are the most common mechanism for international transfers to non-adequate third countries. Consultancies operating cloud infrastructure with data hosted in third countries need to be able to demonstrate compliant transfer arrangements. Failure creates exposure both to ICO enforcement and to client indemnity claims.

Data protection impact assessments

Article 35 requires controllers to carry out DPIAs for processing likely to result in high risk. Consultants advising on or building high-risk processing systems should support the client's DPIA — a fact often specified in the Article 28 contract. Consultancies that fail to support a required DPIA and later face a breach in the affected system are exposed to specific negligence claims arising from that failure.

Practical points for placement

Three practical points recur at renewal.

First, insurers ask about the consultancy's data processor contract discipline — does the firm use compliant Article 28 wording as a matter of course, or ad hoc?

Second, insurers ask about breach detection and notification processes — how quickly can the firm detect a breach, and how quickly does it notify the client?

Third, insurers ask about international transfer discipline — does the firm know where client data resides, and does it have SCCs in place for non-UK residency?

Consultancies that answer these questions confidently at proposal stage receive materially better terms than those that cannot.

Worked example

Illustrative only. A four-consultant firm delivering managed IT services to healthcare clients handling patient personal data. Fee income £1.6 million. All client contracts contain compliant Article 28 processor terms. Internal breach detection through SIEM tooling with a documented 4-hour notification target to clients. All client data resides in UK data centres; the two overseas subcontractors used for out-of-hours support are engaged under SCCs. Broker action: PII policy placed with express Article 28 processor coverage, cyber insurance placed with data breach response cover extending to healthcare-specific notification obligations, both policies aligned on breach definitions and defence-cost provisions.

Related reading

See IT consultants regulatory framework, PI vs cyber insurance, software delivery project failure claims, and the IT consultants PI insurance guide 2026.

Apex Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 724952. This entry is general information, not advice on any particular policy.