GDPR for Tradespeople UK — What You Need to Know (2026)

Most tradespeople store customer data — names, addresses, phone numbers, job histories, photos taken on site — without giving much thought to data protection law. This is understandable: GDPR feels like something for large corporations, not sole traders and small trade businesses. But UK GDPR (the post-Brexit version of GDPR, now enshrined in the UK Data Protection Act 2018) applies to all businesses that process personal data, including one-person trade businesses.

This guide covers what GDPR actually means for a UK tradesperson in plain English: what you need to do, what you can ignore, and the specific obligations that catch trade businesses out.

Do you need to register with the ICO?

Most businesses that process personal data must pay a data protection fee to the Information Commissioner's Office (ICO). This is a separate requirement from GDPR compliance — it's the fee that funds the ICO.

The fee is tiered:

• Tier 1 (£40/year): small organisations with turnover below £632,000 or fewer than 10 staff — covers most sole trader and small team trade businesses
• Tier 2 (£60/year): medium organisations
• Tier 3 (£2,900/year): large organisations

There are exemptions — the most relevant for tradespeople are:

• Processing only for your own business purposes (managing your own accounts, employees, suppliers)
• Processing only for HMRC-required purposes (tax, payroll)
• Not-for-profit organisations

If you store customer data for marketing purposes (sending newsletters, promotional emails, review requests) or for providing services to customers, you almost certainly need to register. The ICO's online tool at ico.org.uk will confirm this in two minutes. Fines for failing to pay the fee can reach £4,000.

What counts as personal data for a trade business?

Personal data is any information that can identify a living individual. For a trade business, this includes:

• Customer names, addresses, phone numbers and email addresses
• Photos taken at a customer's property that show the interior or could identify them
• Job notes that include personal information about the customer
• CCTV footage (if you install or operate CCTV)
• Employee records (payroll, hours worked, personal details)
• WhatsApp message histories with customers

The six lawful bases — which applies to you?

UK GDPR requires you to have a lawful basis for processing personal data. For trade businesses, the relevant bases are:

• Contract: you need the data to perform a contract with the customer (e.g., their address to attend a job). This covers most of the data trade businesses process.
• Legitimate interests: you have a legitimate business interest that isn't overridden by the individual's rights. Sending follow-up communications to existing customers about relevant services may fall under this basis.
• Legal obligation: processing required by law — e.g., retaining records for HMRC, keeping CIS records.
• Consent: the customer has given clear consent. Required for marketing emails and SMS to new contacts who aren't existing customers.

For most customer data processing (taking a booking, completing a job, sending an invoice), the contract basis covers you. You don't need to ask permission to store a customer's address when you need it to attend a job.

How long can you keep customer data?

UK GDPR requires you to keep data only as long as necessary. In practice for trade businesses:

• Financial records (invoices, receipts): HMRC requires you to keep these for 6 years. This overrides the "keep it as short as possible" principle — you are legally required to keep them.
• Customer contact details: reasonable to keep as long as you might do future work for that customer. 3-5 years after the last job is a defensible retention period.
• Job photos: keep for the duration of any warranty period or potential liability claim (typically 6 years for building work).
• Employee records: keep for 6 years after employment ends.

You should document your retention periods, even informally. "We keep customer records for 5 years after the last job" written into your privacy notice is sufficient.

Privacy notice — do you need one?

Yes. UK GDPR requires you to tell people what personal data you collect, why you collect it, how long you keep it, and their rights. This is usually done via a privacy notice on your website.

A trade business privacy notice should cover:

• What data you collect (names, addresses, phone numbers, job photos, etc.)
• Why you collect it (to provide your services)
• Your lawful basis (contract, legitimate interests)
• How long you keep data
• Whether you share data with anyone (subcontractors, accountants, software providers)
• Customers' rights (access, erasure, objection)
• How to contact you with a data request

The ICO has a free privacy notice generator at ico.org.uk. A basic privacy notice takes about 20 minutes to create.

Marketing emails and SMS — when you need consent

This is the area most trade businesses get wrong. UK PECR (Privacy and Electronic Communications Regulations) governs marketing by email and SMS:

• Existing customers: you can email or SMS existing customers about similar services to those they've used before (the "soft opt-in"), as long as you give them an easy way to opt out
• New contacts or leads: you need explicit consent before sending marketing emails or texts
• Cold calling by phone: allowed unless the person is on the TPS (Telephone Preference Service) register

In practice: sending a review request or a boiler service reminder to a customer you've previously worked for is almost certainly compliant. Mass marketing emails to a purchased list of contacts requires proper consent.

What to do if you have a data breach

A data breach is any incident where personal data is accessed, disclosed, lost or destroyed without authorisation. Common examples for trade businesses:

• Losing a phone or laptop that contains customer data without a PIN/password
• Sending an invoice to the wrong customer (with another customer's personal details visible)
• A hacking incident affecting your email or job management software

If a breach is likely to result in a risk to individuals' rights and freedoms, you must report it to the ICO within 72 hours of becoming aware of it. For a sole trader, serious breaches of this kind are rare — but the 72-hour window is non-negotiable when they do occur.

Minor breaches (e.g., a single invoice sent to the wrong email, corrected immediately) don't usually need to be reported but should be documented internally.

How job management software helps with GDPR

Using a dedicated job management platform like Trade2Base is better for GDPR compliance than storing customer data in spreadsheets, WhatsApp and email:

• Data is stored in a single, secure system with access controls
• Customer data can be deleted from a single place if requested
• Audit trails are maintained automatically
• Data is not spread across multiple devices and apps

When a customer exercises their right to erasure ("please delete my data"), you can respond to that request properly rather than trying to track down data scattered across your phone, email and paper records.