Data Protection for UK Trade Businesses — GDPR, ICO Registration and Customer Data in 2026

1. Does UK GDPR apply to your trade business?

Yes. If you hold any personal data about customers or employees — names, addresses, phone numbers, email addresses, photos of property — you are a data controller under UK GDPR. That means the Data Protection Act 2018, which incorporates the UK version of GDPR into domestic law following Brexit, applies to you. It does not matter whether you are a sole trader or a limited company. It does not matter whether you have one customer or one thousand. The moment you store personal information about an identifiable living person, you have data protection obligations.

UK GDPR is the retained version of the EU General Data Protection Regulation that became part of UK law when the UK left the EU. In practice it is almost identical to the EU version, with the Information Commissioner's Office (ICO) acting as the UK's independent supervisory authority rather than an EU regulator.

The framework is built around a simple principle: people have a right to control their personal information. As a business that collects and uses it, you must handle it lawfully, keep it secure, use it only for the purpose you collected it for, and not keep it longer than necessary. None of those requirements are unreasonable for a trade business — they are, in most cases, just good business practice applied systematically.

2. ICO registration — who must register and what it costs

Most businesses that process personal data must register with the Information Commissioner's Office and pay an annual data protection fee. This is separate from simply complying with UK GDPR — it is a specific registration requirement, and the ICO uses it to fund its regulatory activities.

Who must register

You must register if your business processes personal data and you do not fall within one of the exemptions. The most relevant exemptions for trade businesses are:

• You only process personal data for your own accounts and records (i.e., your own bookkeeping) and do not process data for any other purpose
• You only process data for staff administration purposes (for example, running your own payroll) and not for any other reason

In practice, most trade businesses do not qualify for these exemptions because they also hold customer contact data for quoting and invoicing, send marketing messages, or take photos of customer properties. If you do any of those things, you need to register. The ICO provides a free self-assessment tool at ico.org.uk that takes around five minutes to complete and tells you definitively whether you must register.

Registration tiers and cost

The vast majority of trade businesses will be Tier 1: £40 per year. You can register online at ico.org.uk/registration in around ten minutes. You will need your Companies House number (if a limited company), your PAYE reference, and a rough description of the personal data you process and why. Renewal is annual and the ICO sends a reminder email.

3. What personal data does a trade business typically hold?

It is worth being clear about exactly what counts as personal data in the context of a typical trade business, because many owners are surprised by how much they hold without realising it.

Customer data

• Name, address, phone number, email address — collected when a customer enquires, receives a quote, or is invoiced. This is the most basic category and is held by every trade business.
• Photos of customer property — taken before, during, or after a job for quoting, reference, or portfolio purposes. These are personal data because they are associated with an identifiable person (the customer at that address).
• Payment information — critical point here: do not store card numbers. Use a payment processor (Stripe, Square, SumUp, GoCardless) that handles card data on your behalf. Card details are subject to PCI DSS rules on top of UK GDPR and storing them unsecured exposes you to serious liability. Bank account details for BACS payments should be stored securely and only for as long as you need them.

Employee and subcontractor data

• Name, address, National Insurance number, bank account details — required for payroll and CIS returns
• Right-to-work documents — passport copies, visa documentation. These must be stored securely and not shared beyond those who need to see them
• Health information — if you hold any health or medical data (for example, a risk assessment noting that a worker has a condition relevant to manual handling), this is special category data under UK GDPR and subject to stricter rules

CCTV footage

If you have CCTV cameras at your premises, workshop, or on your van, the footage is personal data. The ICO has specific guidance on CCTV compliance for small businesses: you must display signs warning that CCTV is in operation, only retain footage for as long as necessary (typically 30 days for most business purposes), and have a clear reason (legitimate interest in security) for using it.

4. Lawful basis for processing — why are you allowed to hold this data?

UK GDPR requires you to have a valid lawful basis for processing personal data. You cannot simply decide to collect and use customer information without a legal reason. There are six lawful bases in total; for a trade business, three are most relevant.

Contract

Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering into a contract. This covers the bulk of what a trade business does: you need a customer's name and address to carry out the work, to issue an invoice, and to return and remedy any defects. You do not need to ask permission for this — the contractual relationship justifies it.

Legitimate interests

Processing is necessary for your legitimate business interests, provided those interests are not overridden by the individual's rights and interests. This is the basis for things like following up on a quote that a customer requested but has not yet accepted, or keeping a record of past jobs for warranty or dispute purposes. It requires a brief assessment of whether your interest genuinely outweighs any privacy impact — for most routine trade business activities, it clearly does.

Legal obligation

Processing is necessary to comply with a legal requirement. HMRC requires you to keep financial records for six years — that includes the customer name and address on invoices. You do not need consent to retain those records; the legal obligation to HMRC is your lawful basis.

Consent — when you actually need it

For marketing communications — email newsletters, promotional texts — you generally need explicit consent from the customer. Consent must be freely given, specific, informed, and unambiguous. A pre-ticked box does not count. A customer giving you their email address to receive an invoice is not consenting to receive your monthly offers. If you want to send marketing messages, you need a clear opt-in — a checkbox on your quote form or website that is not pre-ticked and explains what they are signing up for.

There is an exception: the “soft opt-in” rule under PECR (Privacy and Electronic Communications Regulations) allows you to send marketing emails to existing customers about similar products or services, provided you gave them an opportunity to opt out when you collected their email and on every subsequent communication. So if someone used you for a boiler service, you can email them about boiler servicing again — provided they could opt out and did not.

5. Keeping data secure — practical steps for a small trade business

UK GDPR requires you to take “appropriate technical and organisational measures” to keep personal data secure. For a sole trader or small trade business, this does not mean enterprise-grade security — it means sensible, proportionate precautions. Here is what that looks like in practice.

Device security

• Use a PIN or biometric lock on your phone and laptop — if your phone has customer details on it and it is stolen without a lock, that is a data breach you would need to report
• Enable automatic software updates so security patches are applied promptly
• Do not leave your phone or laptop unattended in your van; treat them as you would cash

Where you store customer data

• Use a reputable cloud-based system for customer records, quotes, and invoices — tools like Trade2Base, Tradify, or even Xero are hosted by companies with proper security infrastructure. They are far more secure than a spreadsheet on your desktop or a paper notebook
• Do not keep customer lists in unprotected spreadsheets on a shared drive or emailed around. If you must use a spreadsheet, keep it in a cloud service (Google Sheets, OneDrive) with access restricted to those who need it, and do not share it via email
• Do not store card details anywhere. Use a payment processor. This is non-negotiable

Email and messaging

• Sending a customer's name and address via email is generally fine — it is the same information on a letter
• Do not send financial details (NI numbers, bank account numbers, payment card data) via unencrypted email. Use a secure file-sharing link or your accounting software's built-in messaging if you need to share sensitive financial information
• If you use WhatsApp for business communications, use a dedicated WhatsApp Business account rather than your personal one — this keeps business and personal data separated and makes it easier to manage if you ever need to delete business data

Paper documents

Shred paper documents containing personal data rather than putting them in a recycling bin. A customer's address on an old quote left in a recycling bin is a data breach. A cheap cross-cut shredder costs around £25 and takes care of this permanently.

If you have a data breach

A data breach is any incident where personal data is lost, destroyed, corrupted, or disclosed to someone who should not have seen it. If you have a breach that is likely to result in a risk to people's rights and freedoms (for example, customer financial data is accessed by an unauthorised person), you must report it to the ICO within 72 hours. You can do this online at ico.org.uk. Most small business breaches — a lost phone with customer contacts, for example — may not meet the threshold for mandatory reporting, but you should assess each incident carefully and document your decision.

6. Data retention — how long should you keep customer information?

UK GDPR requires you not to keep personal data longer than necessary for the purpose you collected it for. For a trade business, a practical retention policy looks like this:

You do not need a sophisticated records management system to apply these policies. A simple annual review — going through your customer database and archiving or deleting old contacts — is sufficient for most trade businesses. Some job management software allows you to set automatic archiving rules which makes this even easier.

7. Customer rights under UK GDPR — what your customers can ask for

UK GDPR gives individuals a set of rights over their personal data. For a small trade business, these requests are genuinely rare — most customers are not thinking about data protection rights when they get their boiler serviced. But you should know what to do if one does come in.

Subject Access Request (SAR)

A customer can ask to see all the personal data you hold about them. You must respond within 30 calendar days, at no charge. You provide a copy of the information in a clear, accessible format — there is no prescribed form. A PDF of your records relating to that person is fine. You can verify the identity of the person making the request before responding. The ICO has free template letters for handling SARs.

Right to erasure (“right to be forgotten”)

A customer can ask you to delete their personal data. You must comply unless you have a legitimate reason to retain it — for example, you are legally required to keep their invoice for HMRC purposes, or there is an ongoing dispute. You cannot simply delete all their data on request if doing so would put you in breach of another legal obligation. Explain clearly what you are retaining and why.

Right to rectification

A customer can ask you to correct inaccurate data you hold about them. Update it promptly. This is low-friction in practice.

Right to object to marketing

A customer can ask to stop receiving marketing messages from you at any time. You must act on this immediately and without charge. Every marketing email you send must include an unsubscribe link or clear instructions on how to opt out.

8. Privacy notice — what you need and how to write one

Under UK GDPR, you must tell people what you do with their personal data at the point you collect it. For a trade business, this means having a privacy notice available to customers. It does not have to be a formal legal document — plain English is not only acceptable, it is actually required. The ICO specifically says privacy notices should be written in clear, everyday language.

What a trade business privacy notice must cover

• Who you are — your business name, address, and contact details
• What data you collect — name, address, phone, email, job photos, etc.
• Why you collect it — to quote, carry out work, invoice, meet HMRC obligations
• Your lawful basis — contract, legitimate interests, legal obligation
• How long you keep it — refer to your retention periods above
• Who you share it with — your accountant, any subcontractors who work on the job, your invoicing software provider
• Customer rights — their right to access, correct, delete, and object
• How to complain — they can contact the ICO at ico.org.uk if they are unhappy with how you handle their data

Where to publish it

If you have a website, your privacy notice should be linked from your footer and from any contact or quote request form. If you do not have a website, you should be able to provide it to a customer on request — a one-page PDF that you can email is fine. The ICO has a free privacy notice generator at ico.org.uk that asks a series of questions and produces a completed draft you can adapt.

For most trade businesses, a privacy notice covering the points above will fit on a single A4 page. It does not need to be long — it needs to be honest and clear about what you do with customer data. If your privacy notice accurately reflects your actual practices, you are in a solid position.