If you’re a Virtual Assistant, OBM, freelancer or contractor working online, you may be hearing this more often:
“For GDPR / Cyber Essentials / data security reasons, you’ll need to use a laptop provided by us.”
It’s usually presented as sensible.
Sometimes as non-negotiable.
Occasionally as “required”.
Before you agree, stop.
Because while this request often comes from a good place, it can create bigger legal, tax, insurance and contractual risks than many clients — and contractors — realise.
And no, this is not a legal requirement.
This is a trend — not a rule
Neither GDPR nor Cyber Essentials says that all contractors must use client-owned laptops.
What the law actually requires is:
- appropriate security measures
- based on risk
- applied proportionately
That’s it.
Providing a laptop is one possible way a client might try to manage data risk — but it’s not the only way, and in many cases it’s not the best one.
Why clients ask for this (and where it goes wrong)
Most clients asking for this are thinking about one or more of the following:
- Cyber Essentials certification
- GDPR compliance
- insurer or IT provider advice
- a recent breach or scare
- a blanket “lock everything down” policy
The problem starts when:
- employee controls are applied to independent suppliers
- “controlling the data” quietly turns into controlling the person
That’s where things begin to unravel.
Cyber Essentials: what it does and doesn’t require
Cyber Essentials focuses on:
- access control
- patching and updates
- malware protection
- secure configuration
- firewalls
It does not require:
- contractors to be employees
- contractors to use employer-owned equipment
- all work to be done on company laptops
A contractor using their own properly secured device can meet Cyber Essentials-level controls perfectly well.
Many do. Some even hold Cyber Essentials certification for their own business.
So when a client says:
“Cyber Essentials requires this”
What they usually mean is:
“This is how our IT team prefers to manage risk.”
That’s a commercial preference — not a legal obligation.
The liability problem nobody mentions
Using a client’s laptop sounds safer — until something goes wrong.
Ask yourself:
- Are you the admin on that machine?
- Can you verify updates, security software and backups?
- Can you see what else is installed?
- Can you evidence what happened if there’s a breach?
If the answer is no, you may be:
- blamed for an incident you couldn’t prevent
- caught between your insurer and theirs
- relying on systems you don’t control but are still accountable for
Many professional indemnity and cyber insurance policies assume you control your own working environment.
That matters — a lot.
The tax and employment status angle (UK)
Providing equipment is a classic employment indicator.
One laptop on its own won’t turn you into an employee — but combine it with:
- control over systems
- monitoring
- restrictions on how you work
- lack of substitution
- integration into internal teams
…and the picture starts to look less like an independent supplier and more like employment.
That matters for:
- PAYE risk
- IR35 (rarer for VAs, but very real at higher values)
- retrospective HMRC challenges
This isn’t just your problem.
It’s the client’s too — whether they realise it or not.
“But we’re dealing with sensitive data…”
Sometimes this concern is genuine.
Higher-risk scenarios might include:
- children’s data
- special category data
- safeguarding, medical or legal work
- regulated sectors
Even then, a physical laptop is not the only option.
Often better solutions include:
- controlled cloud access
- virtual desktops
- role-limited systems
- strong contractual controls
- access logging and audit trails
Security is about outcomes, not who owns the hardware.
Training and certification matter — more than clients think
If you:
- have GDPR training (and can evidence it),
- operate documented security practices,
- or hold Cyber Essentials certification for your business,
that is relevant evidence.
It doesn’t remove the client’s responsibilities — but it absolutely supports a risk-based decision not to impose employee-style controls.
Well-run suppliers are not “uncontrolled risks”.
A practical reality check
Ask yourself — and your client:
- Can you realistically work with 4–6 clients using 4–6 laptops?
- Who pays for lost time, setup and failures?
- What happens if their machine breaks?
- What happens when the contract ends?
- Who controls monitoring, access and data retention?
If the answers are fuzzy, the arrangement probably is too.
Should you ever say yes?
This isn’t a blanket no.
It’s a commercial and risk decision, not a compliance reflex.
It may make sense where:
- the work is genuinely high-risk,
- the fee reflects the constraints,
- liability and insurance are properly addressed,
- the contract is clearly amended.
It often makes no sense at all for:
- routine VA or admin work
- low-risk data
- multiple concurrent clients
- independent suppliers running their own businesses
A note on contracts (and why this isn’t a small tweak)
KoffeeKlatch terms already deal with many of the risks discussed above.
That’s deliberate — and it’s one reason the wording isn’t editable at the early stages.
They’re written on the assumption that:
- you’re an independent supplier,
- using systems you control,
- with security responsibilities clearly allocated,
- and without employment-style control creeping in.
If you decide to say yes to using a client-provided laptop, that assumption changes.
At that point, you’re accepting new risks — particularly where:
- the laptop itself could be the source of a breach,
- it isn’t properly secured or maintained by the client,
- or you can’t evidence what went wrong.
That’s where the special terms section matters — because liabilities have shifted.
If you do decide to say yes: a reality checklist
If you’re going to agree to this, slow it down and do it properly.
At a minimum, you will need to:
Update your professional indemnity and cyber insurance
Your insurer must know you’re using third-party hardware you don’t control. If you don’t tell them, cover may be invalid when you need it.
Update your Data Processing Agreement (DPA) for this client
You need clarity on who is responsible for device security, incident handling and liability if their setup causes a breach.
Update your terms to deal with laptop-related liabilities
Your terms should address responsibility if the laptop is insecure, unavailable, or causes downtime — and what happens on termination.
Without this, you’re exposed to risks you cannot control.
The tension at the heart of all this
UK law requires clients to control personal data.
It also penalises clients who control independent workers.
Confusing the two is how businesses end up with:
- tax problems
- insurance disputes
- brittle working relationships
- very unhappy contractors
The answer isn’t “more control”.
It’s better boundaries.
And if a client’s only solution to data security is “give them a laptop”, that’s usually a sign the real risks haven’t been thought through properly yet.
Which is exactly when good contracts — and good judgement — matter most.
