The short answer
If you process personal data on behalf of a client, you are a data processor under GDPR, a data fiduciary or data processor under India''s Digital Personal Data Protection Act (DPDP), and a service provider under California''s CCPA / CPRA. All three regimes apply based on whose data you touch, not where you live. A freelance designer in Lisbon working with a Series A startup in San Francisco that has European customers is in scope of all three at once.
The good news is that the operational footprint a solo freelancer needs is small. You need a public privacy notice, a written processor agreement with each client who sends you personal data, a basic security baseline, an incident response plan, and a way to handle deletion requests. None of this requires hiring counsel. The bad news is that ignoring it stopped being viable in 2025, when enforcement against small vendors picked up.
The Italian Garante fined a 14 person company €420,000 in March 2025 for processor obligations it never documented. India''s Data Protection Board ramped up advisory letters to small vendors after the DPDP rules took effect in January 2025. California''s CPPA launched a small business sweep in late 2024 that sent CCPA notices to over 600 companies under $5 million in revenue, including individual consultants.
What counts as personal data you actually touch
Most freelancers think they do not handle personal data. Then they list the things they handle and the picture changes fast.
| You probably do this | And it is personal data because | |---|---| | Send a client a project file with their staff names in it | Staff names attached to a workplace are personal data under all three regimes | | Use a client login to their CMS or analytics | Their user data passes through your hands during sessions | | Run Calendly or Cal.com bookings with client prospects | Email + name = personal data | | Hold an export of subscriber emails for a one off newsletter | Bulk personal data with an obvious controller relationship | | Test code against a copy of production data | Almost certainly personal data, often the highest risk category | | Manage ad accounts for a client | Audience lists, conversion identifiers, customer match data are all personal data |
If two or more of those apply to you, you are in scope. The next step is building the small set of artifacts that prove you handle it responsibly.
The five artifacts a solo freelancer needs
A real solo compliance footprint is five documents and a security baseline. Build them once, reuse them per client.
1. A public privacy notice
Lives on your own marketing site. Covers: what data you collect from prospects and clients, why, where it is stored, how long you keep it, who it gets shared with, the legal basis under GDPR Article 6, and how someone can exercise their rights. One page is enough. Termly, Iubenda, and Privacy Bee all sell template generators in the $10 to $40 per month range. Free templates from the UK ICO and the CNIL are also workable starting points.
2. A Data Processing Agreement template
This is the contract between you and the client when you handle their personal data on their behalf. Article 28 GDPR requires it, India''s DPDP Section 8 requires equivalent contract terms, and CCPA Section 1798.140(ag) requires a service provider contract. The SCC (Standard Contractual Clauses) module 4 from June 2021 covers the EU side. Stripe, Atlassian, and OpenAI publish their DPAs publicly. Adapt one of those into your own template and sign it before any personal data moves.
3. A processor record
A simple spreadsheet with rows: client name, what personal data, categories of subjects, data location, purpose, retention period, sub processors used. GDPR Article 30 requires this once you process EU personal data regularly. DPDP requires equivalent records for significant data fiduciaries, and most freelancers will not hit that threshold, but the record is still useful for your own audit. Keep it current. Update it at every kickoff.
4. An incident response runbook
One page. Lists the steps you take if you discover a data incident: contain it, document the scope, notify the client within 72 hours per GDPR Article 33 (the timer that matters most), preserve logs, then run the rest. The DPDP requires notification "without delay" without a fixed timer, but 72 hours is the operational standard. CCPA does not impose a deadline on processors but the client almost certainly has a contractual deadline that lands on you.
5. A data subject request workflow
When the client''s user files a deletion or access request, the client will route it to you because their data is on your tools. Your runbook covers: receive the request from the client, search your systems for matching data, document what you found, delete or export, confirm to the client within their contractual SLA, log the request. This is operational, not legal. The legal duty is the client''s, but the practical work is yours.
The security baseline that satisfies all three regimes
There is no certified standard required for a solo freelancer at the size most operate at. There is a baseline that all three regimes treat as reasonable, and that is what you should run.
Use a password manager with a strong master password and 2FA. 1Password and Bitwarden are the obvious picks. Free or under $5 per month for a single user.
Encrypt every device. macOS FileVault and Windows BitLocker are both on by default in recent versions but verify. Linux uses LUKS. Lost laptop without encryption is the single fastest way to a notifiable incident.
Use 2FA everywhere. Especially email, cloud storage, payment processors, and any client system you access. Hardware keys (YubiKey, Google Titan) for the highest tier accounts (email + bank).
Back up encrypted to a second location. Backblaze, Arq, or a Tresorit Cloud Encrypted folder all work. Test the restore at least quarterly.
Keep a software inventory. List every tool that touches client data. When a tool announces an incident, you immediately know whether you are affected and can notify the client. Pixie Brix, Cyberhaven, and others sell more elaborate SaaS inventories but a spreadsheet is the floor.
Patch quickly. Operating system, browser, and especially the tools that handle client data. macOS, Windows, Chrome, Firefox, Adobe, and Notion all push regular security updates that should be applied within a week.
What changes about your day to day
In practice, GDPR + DPDP + CCPA compliance for a solo freelancer is twenty hours of one time setup and roughly one hour per month of upkeep. The day to day changes are small.
Before each new client engagement, send your DPA along with the SOW. Update your processor record at kickoff. At the end of the engagement, follow your written deletion policy and document what you deleted.
When a client emails about a user deletion request, your runbook tells you exactly what to do without thinking. You have already done the thinking once.
If a tool you use announces a breach, you check your software inventory, send a quick note to any affected clients, and update your incident log. No drama, no scrambling.
What enforcement actually looks like for a solo freelancer
Direct fines on a one person business are still rare. The realistic enforcement path runs through your clients. They get a data subject access request, a regulatory letter, or an audit, and they need to prove their processor (you) handled their data correctly. If you cannot show them a DPA, a processor record, and a deletion log, you lose the client. Worse, you may be named in the client''s incident report.
The 2025 European Data Protection Board annual report tracked 412 enforcement decisions against processors specifically, up from 217 in 2023. Most were small or medium businesses, not enterprises. The pattern is enforcement broadening, and freelancers are inside the perimeter now even if they were not in 2020.
FAQ
Do I need to register as a data controller in any of these jurisdictions? Usually no for a solo freelancer acting as a processor. Some EU member states require notification for certain processing types, but most do not. India''s DPDP only requires registration as a "significant data fiduciary" above defined thresholds you almost certainly will not hit.
What if I only work with US clients with US customers? You still need to meet CCPA if any of your client''s customers are California residents, which is almost always the case for any consumer brand. The DPA-equivalent service provider contract is mandatory. Other state laws (Virginia, Colorado, Connecticut, Texas, Florida, Oregon) added similar requirements through 2024 and 2025.
Does using an AI tool like ChatGPT or Claude with client data trigger extra obligations? Yes. Anthropic, OpenAI, and Google all publish their own DPA-equivalent terms. Sign their enterprise or API terms (not the consumer terms) before pasting client personal data into the tool. Document the tool in your software inventory. Tell the client which AI providers are in your sub processor chain.
How much does this actually cost in tooling? Realistically $100 to $300 per month total. Privacy notice generator $10 to $40, password manager $3 to $8, backup $5 to $15, status monitoring $20 to $50, optional incident response tabletop subscription $50 to $150.
Should I get cyber liability insurance? Yes, especially as your average client size grows. Solo policies start around $30 to $80 per month at Hiscox or Coalition. The insurance also includes incident response counsel, which alone can cost $500 to $1,500 per hour if you need it during an actual breach.
Written by Delivvo Editorial · June 5, 2026
More from the blog →