Data Protection and GDPR for UK Tradespeople — What You Need to Know in 2026

Most tradespeople assume GDPR is something big companies worry about — the kind of regulation that applies to banks and tech firms, not to a sole trader fitting kitchens or a small electrical business with three vans. That assumption is wrong. Under UK GDPR and the Data Protection Act 2018, if you hold any personal data about your customers — a name, an address, a phone number — you are a data controller with legal obligations. This guide explains what those obligations actually mean in practice for a small trade business, and what you need to do about them.

1. Why GDPR applies to you

UK GDPR — the retained version of the EU regulation that became domestic law after Brexit, sitting alongside the Data Protection Act 2018 — applies to any person or organisation that determines how and why personal data is processed. “Personal data” means any information that relates to an identifiable living individual. The moment you save a customer's name and address in your phone to book a job, you are processing personal data and UK GDPR applies.

There is no turnover threshold. There is no minimum number of customers. The regulation does not distinguish between a multinational and a sole-trader plumber. What matters is whether you hold data about identifiable people and what you do with it. The good news: the obligations are proportionate for small businesses, and in most cases compliance requires common sense rather than a legal team.

2. What personal data you likely hold

Run a mental audit of everything connected to your day-to-day work and you will find personal data in more places than you expect:

• Customer contact details: names, postal addresses, phone numbers and email addresses in your phone, in a spreadsheet or in a job management app.
• Photos of customers' properties: inside shots for before-and-after records, or outside shots for scope assessments. These can identify where a person lives and, potentially, what their home looks like inside.
• WhatsApp conversations: most trade businesses run their customer communication through WhatsApp. Every message thread that contains a customer's name and contact details is a store of personal data.
• Quotes, invoices and job notes: every document you produce that references a customer by name and address falls under the regulation.
• CCTV footage: if you operate a camera at your yard, workshop or premises that captures images of visitors or members of the public, that footage is personal data. The ICO has specific guidance on CCTV use by small businesses.

3. ICO registration — do you need to pay the data protection fee?

The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most organisations that process personal data must pay an annual data protection fee to the ICO: currently £40 per year for micro-organisations and sole traders, or £60 for small-to-medium organisations. Failure to pay when required is a civil penalty offence.

However, there are exemptions. Sole traders who process personal data only for purely personal or household purposes do not need to pay. In practice, if you are using personal data for business purposes — sending quotes, raising invoices, marketing to past customers — you are unlikely to be exempt. The cleanest approach: use the ICO's free self-assessment tool at ico.org.uk. It takes five minutes, asks you a handful of questions about how you use data, and tells you whether you need to register. If you do need to register, pay the fee — the penalty for not registering can be up to £4,000.

4. The six lawful bases — which ones apply to tradespeople

Under UK GDPR, every time you process personal data you must have a lawful basis for doing so. There are six in total; for most trade businesses, two will cover almost everything you do:

• Contract: you need the customer's details to fulfil the contract — to do the job, raise the invoice, coordinate access to their property. This is the most straightforward lawful basis and covers the vast majority of data processing in a trade business. You don't need to ask for consent; you just need to do the job.
• Legitimate interest: follow-up marketing to past customers — an annual boiler service reminder, a message offering a quote on a new job — can rely on this basis. But you must be able to demonstrate that you have considered the customer's interests and that your marketing is reasonable and proportionate. In practice for a small trade business, this means being able to explain why you're contacting them, giving them an easy way to opt out, and not bombarding them. A brief Legitimate Interests Assessment (LIA) — even a short written note to yourself setting out your reasoning — is good practice.
• Consent: you rarely need this if you're relying on contract or legitimate interest. Consent is the most fragile lawful basis — it can be withdrawn at any time — and it is often over-relied upon by businesses that don't realise they have a better basis available to them.

5. What you must tell customers — the privacy notice

UK GDPR requires you to be transparent with customers about what data you hold and what you do with it. For a small trade business, this does not mean a 20-page legal document. A brief privacy notice covering the following points is sufficient:

• Who you are and how customers can contact you
• What personal data you hold about them and why
• How long you keep their data
• Who else you share it with (for example, your accountant)
• Their rights: to see their data, to have it corrected, to request deletion

This can be a paragraph on your website, a short section in your standard quote terms, or a notice on your quote template. It does not need to be long. The key is that it exists and that customers can find it. If you have a website, add a short privacy page. If you send quotes by email, include a link to it or a brief notice in the footer.

6. How long to keep records

UK GDPR requires you not to keep personal data for longer than necessary. In practice, several legal obligations determine the minimum retention period for business records:

There is no strict legal minimum for customer job records, but six years is best practice because that is the limitation period for contract claims under the Limitation Act 1980 — meaning a customer could theoretically bring a claim about work done up to six years ago. After that period, you are generally safe to delete the records unless you have a specific reason to keep them.

7. Sharing data with third parties

When you share customer data with another person or organisation, you need to be aware of your obligations:

• Accountants, bookkeepers and payroll providers: you will share customer and employee data with these professionals. You should have a data processing agreement in place — most reputable accountants include one in their engagement letter. If yours does not, ask for one. It does not need to be complex, but it should confirm that they will only use the data you share with them for the purpose of providing their service.
• Subcontractors: if a subcontractor needs to contact a customer directly — to confirm arrival times or discuss the scope of work — share only what is necessary and only for as long as is needed. Do not send a subcontractor your entire customer database.
• Cloud platforms — WhatsApp, Dropbox, Google Drive: using these for business data means you are sharing data with the platform provider. For most small trade businesses, this is pragmatic and proportionate — the key is to be aware of it, to use reputable platforms, and not to store sensitive personal data (financial information, anything relating to vulnerable customers) on insecure or personal devices without password protection.

8. Data breaches — what counts and what to do

A data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The threshold is lower than most people assume. Examples that would count as a breach in a small trade business:

• Leaving a printed quote containing a customer's name and address in a public place
• Sending an email containing customer details to the wrong recipient
• A laptop or phone with customer records being stolen or lost
• A ransomware attack on your computer that locks your files
• Accidentally sharing a spreadsheet of customer contacts with the wrong person

Not every breach needs to be reported to the ICO. The test is whether the breach is likely to result in a risk to individuals' rights and freedoms. If you left a quote in the street but it only contained a first name and a postcode, the risk is probably low — document the incident internally but you do not need to report it. If a laptop containing detailed customer records, financial information or any sensitive data is stolen, the risk is higher and you should notify the ICO within 72 hours. If customers are likely to be directly affected by the breach — for example, if someone could use the information to defraud them — notify them too. The ICO breach reporting portal is at ico.org.uk/report-a-breach.

9. Customer rights you must be able to respond to

UK GDPR gives individuals a number of rights in relation to their personal data. Two are most relevant for small trade businesses:

• Subject Access Request (SAR): a customer can ask to see all the personal data you hold about them. You must respond within one month. The first request is free. In practice, this means being able to pull together all their records — quotes, invoices, job notes, messages — and provide them in a readable format. For most sole traders, this is a manageable exercise if records are reasonably organised.
• Right to erasure (“right to be forgotten”): a customer can ask you to delete their personal data. You are not always obliged to comply — in particular, you can refuse if you are legally required to keep the data (for example, you are required to retain tax records for five years and you cannot delete an invoice simply because a customer asks). But if the data is no longer needed for the purpose it was collected, you should delete it.

10. Practical steps for a sole trader or small trade business

Getting compliant does not require a data protection officer or a legal budget. Five practical steps cover the basics:

• Complete the ICO self-assessment at ico.org.uk. Five minutes, tells you whether you need to pay the fee and register.
• Add a brief privacy notice to your website and quote templates. A short paragraph is enough. Cover who you are, what data you hold, why you hold it, how long you keep it and how customers can contact you about it.
• Don't keep data longer than you need. Delete old customer records once you are past the relevant retention period. A quarterly tidy-up of your files and contacts list is a good habit.
• Store job records securely. Password-protect devices that hold customer data. If you use cloud storage, use a reputable provider and enable two-factor authentication on your account.
• Know what to do if something goes wrong. Note the ICO's breach reporting portal. If you lose a device with customer data on it, act quickly — the 72-hour clock starts from when you become aware of the breach.

GDPR compliance for a small trade business is not about perfection — it is about being able to demonstrate that you have thought about what data you hold, that you have a legitimate reason for holding it, and that you handle it with care. The ICO's enforcement focus is on significant breaches and wilful non-compliance, not on sole traders who are making a genuine effort to get it right. Get the basics in place, keep records organised, and you are in a strong position.