UK GDPR

UK GDPR requires organisations to limit access to personal data based on what each person actually needs to do their job. This is known as the principle of least privilege, and it sits at the heart of Article 32’s requirement for “appropriate technical measures.” If everyone in your agency has full admin access, there is no control over who can view, edit, export or delete personal data. That means any single compromised account, whether through phishing, a weak password or a disgruntled employee, could expose your entire client database.

In creative agencies this problem tends to be worse than average. Teams are small, people wear multiple hats, and it feels easier to just give everyone the same level of access. But from a compliance perspective, that approach makes it nearly impossible to demonstrate accountability. You cannot show an auditor or a client who accessed what data and when if everyone has the same permissions. The fix is role-based access control, where permissions are grouped by function (account management, creative, finance, IT admin) and reviewed at least quarterly.

Freelancers should receive time-limited accounts with access only to the specific projects, folders and tools they need. When the engagement ends, those accounts should be disabled immediately rather than left active. Under UK GDPR, your agency is responsible for any personal data a freelancer can access through your systems, so treating contractor access as an afterthought creates real compliance exposure.

Start by issuing each freelancer a managed account through your company’s identity provider rather than sharing team logins. Set an automatic expiry date on the account that matches the project timeline. Restrict file access to the relevant project workspace only. Require a signed data processing agreement before granting any access at all. When the project wraps up, disable the account, revoke any API tokens, and remove the freelancer from shared channels and drives. Agencies that rely on a revolving door of freelancers often find old accounts still active months later. A quarterly access review catches these gaps before they become a problem.

The moment someone leaves your agency, their access to all systems should be revoked. That means disabling their email account, removing them from single sign-on, revoking VPN access, deactivating accounts in project management and file-sharing tools, and collecting or wiping any company-owned devices. Under UK GDPR, a former employee or freelancer who still has access to personal data represents an uncontrolled risk.

A structured offboarding checklist makes this manageable. Within the first hour, disable the leaver’s primary account and SSO access. Within 24 hours, revoke access across all SaaS platforms, shared drives and communication tools. If they used a personal device for work, trigger a remote wipe of company data through your mobile device management tool. Revoke any API keys or tokens they created. Transfer ownership of any shared files or mailboxes. Finally, log the offboarding steps taken and the date they were completed. This documentation is part of the evidence trail UK GDPR expects. Poor offboarding is one of the most common gaps we see in agency environments, often because no single person owns the process.

UK GDPR does not name specific technologies, but Article 32 explicitly lists encryption as an example of an appropriate technical measure for protecting personal data. In practice, if an unencrypted laptop is lost or stolen, the ICO is likely to treat it as a reportable data breach because the data on that device is accessible to anyone who picks it up. If the same laptop had full-disk encryption enabled, the data would be unreadable without the encryption key, and in most cases it would not need to be reported as a breach at all.

For Mac devices, this means enabling FileVault. For Windows machines, it means enabling BitLocker. Both can be deployed remotely through a mobile device management platform in under 30 minutes per device. There is no reasonable argument against it. The cost is effectively zero, the performance impact is negligible, and the difference it makes in a loss or theft scenario is the difference between a contained incident and a reportable breach. Every agency laptop that holds or accesses client data should have full-disk encryption turned on as a baseline requirement.

Remote and hybrid working does not change your UK GDPR obligations, but it does make the technical controls harder to enforce. When staff access client data from home networks, coffee shops or co-working spaces, you lose the perimeter security that an office environment provides. The answer is not to ban remote work, but to layer controls that protect data regardless of where the connection originates.

The foundations are straightforward. Require a VPN or zero-trust network access solution so that all traffic is encrypted in transit. Enforce multi-factor authentication on every account that touches personal data. Deploy mobile device management across all devices, including personal ones used for work email or file access. Use conditional access policies that block sign-ins from unmanaged devices or unusual locations. Make sure full-disk encryption is active on every laptop. Set session timeouts on cloud applications so that unattended devices do not remain logged in indefinitely. These controls work together to create a security posture that holds up whether someone is sitting in your Soho office or working from their kitchen table.

If the laptop was not encrypted, you are almost certainly looking at a reportable data breach. Under UK GDPR Article 33, you must notify the ICO within 72 hours of becoming aware of a breach that poses a risk to individuals. If the breach is high-risk, Article 34 requires you to notify the affected individuals directly as well. That could mean telling your clients that their customers’ data has been exposed because of an unprotected device.

If the laptop was encrypted with full-disk encryption (FileVault on Mac, BitLocker on Windows), the situation is very different. The data on the device is effectively inaccessible without the encryption key, which means the risk to individuals is minimal and the incident is unlikely to be reportable. This is exactly why encryption is such a high-priority control. The difference between an encrypted and an unencrypted stolen laptop is the difference between logging an internal incident and making a public breach notification that damages client trust. Remote wipe capability through your device management platform adds a further layer, allowing you to erase the device as soon as the loss is reported.