Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, phone numbers are everywhere in your day-to-day operations.
You collect them for bookings, deliveries, invoices, customer support, marketing, staff rotas, and supplier contact lists. And sooner or later, someone asks: “Can you share their number with me?”
That’s when the real question kicks in: is sharing someone’s phone number illegal in the UK?
The frustrating (but honest) answer is: it depends. Sharing a phone number can be unlawful in the UK, but it isn’t automatically illegal in every situation. Whether it’s allowed usually comes down to data protection rules (UK GDPR and the Data Protection Act 2018), plus privacy and marketing rules (PECR) if calls/texts are involved.
Below, we’ll break this down in plain English from a small business perspective - when sharing a phone number is likely fine, when it’s risky, and how to set up your processes so you’re protected from day one.
Is Sharing Someone’s Phone Number Illegal In The UK?
A phone number is usually personal data because it can identify a living individual directly (e.g. it’s saved in your CRM as “Sarah – Mobile”) or indirectly (e.g. it’s tied to an order number, booking record, or chat thread).
Under the UK GDPR and the Data Protection Act 2018, personal data must be handled lawfully, fairly, and transparently.
So, is sharing someone’s phone number illegal in the UK?
- It may be unlawful (and therefore create legal risk) if you share it without a valid reason, without telling the person, or in a way that’s excessive or insecure.
- It may be lawful if you have a clear lawful basis, you share only what’s necessary, and you’re transparent about it.
Why This Matters For Small Businesses
Even if you’re not a huge company, you still have the same basic obligations when you’re acting as a data controller (the business deciding why/how personal data is used) or a data processor (handling data for someone else).
Also, “I didn’t realise” generally isn’t a defence. The regulator (the ICO) expects businesses to have appropriate policies, training, and contracts in place.
What UK GDPR And Privacy Law Actually Require When You Share Phone Numbers
When you share someone’s phone number, you’re usually doing a form of processing (which includes disclosure or making data available to someone else).
UK GDPR requires you to comply with key principles, including:
- Lawfulness, fairness, and transparency (you must have a valid legal basis and be open about what you’re doing)
- Purpose limitation (don’t use the phone number for unrelated reasons)
- Data minimisation (share only what’s necessary)
- Accuracy (keep contact details up to date)
- Storage limitation (don’t keep phone numbers forever “just in case”)
- Integrity and confidentiality (keep phone numbers secure)
For most small businesses, the “make-or-break” issues are usually:
- Do you have a lawful basis to share it?
- Did you tell the person you might share it?
- Are you sharing it safely and only with the right people?
This is where a solid Privacy Policy and good internal processes make a huge difference.
Don’t Forget PECR If Calls Or Texts Are Involved
If sharing the phone number leads to marketing calls, texts, or automated messages, you also need to consider the Privacy and Electronic Communications Regulations (PECR).
PECR sits alongside UK GDPR. Even if you can process a phone number under UK GDPR, you might still breach PECR if you use it for marketing without the right permissions.
It’s worth being especially careful where your “sharing” is really about getting another person/business to contact someone for promotional purposes.
When Can Your Business Share A Phone Number Lawfully?
To share a phone number lawfully, you typically need:
- a lawful basis under UK GDPR
- to share it in a way that’s fair and expected
- to share only what’s necessary
- appropriate security (no sloppy WhatsApp screenshots or open CC email chains)
Common Lawful Bases For Sharing Phone Numbers
Here are the lawful bases that most commonly apply to small businesses:
- Contract: sharing is necessary for the performance of a contract with the person (e.g. giving a courier the customer’s number for delivery updates).
- Legitimate interests: you have a genuine business reason that isn’t overridden by the person’s privacy rights (e.g. sharing a customer’s number with a subcontractor to complete a booked job, where the customer would reasonably expect this).
- Consent: they clearly agreed to a specific sharing use (especially relevant if it’s optional or marketing-related).
- Legal obligation: rarer for phone numbers, but possible in regulated contexts.
If you’re relying on legitimate interests, it’s smart to pause and sanity-check:
- Is the sharing truly necessary, or just convenient?
- Would the person be surprised if they knew?
- Could you achieve the same result without sharing the number?
Processor vs Controller Sharing (And Why Contracts Matter)
If you share phone numbers with service providers (like CRMs, booking software, outsourced call answering, marketing platforms, or IT support), you may be transferring personal data to a processor.
In many cases, UK GDPR requires you to have a written contract (or other legal act) in place with that processor, setting out things like the processing instructions, security, and confidentiality obligations.
If your business regularly shares personal data with another business (not just a software provider), a Data Sharing Agreement can help set clear rules on who does what, who responds to complaints, and how you keep data secure.
Everyday Business Scenarios: What’s Usually OK vs What’s Risky
Most “phone number sharing” problems don’t come from dramatic data leaks. They come from everyday moments where someone tries to be helpful - but accidentally crosses a privacy line.
Scenario 1: Sharing A Customer’s Number With A Courier Or Contractor
Often OK if:
- it’s necessary to deliver the product/service
- you’ve told the customer this may happen (e.g. in checkout terms or your privacy info)
- the courier/contractor only uses it for that job
Risky if:
- the contractor uses the number for their own marketing later
- you share more than needed (e.g. full customer notes plus contact details)
- you have no documentation showing how contractors should handle customer info
This is where clear contracts and internal rules (plus training) are your best friend.
Scenario 2: A Staff Member Gives Out Another Employee’s Number
This is a common one: someone calls your business and says they need to reach a particular team member urgently.
As a general rule, don’t give out employee phone numbers casually. Even if you mean well, it can be excessive and unexpected, and it may breach UK GDPR and internal HR confidentiality expectations.
Better options:
- offer to take a message
- ask the employee if they’re happy for you to share their number
- use a work line or shared inbox rather than personal numbers
If your team uses personal phones for work (or BYOD), you should treat this as a policy issue as much as a legal one - an Acceptable Use Policy can help you set sensible rules that staff can actually follow.
Scenario 3: Posting A Phone Number In A Group Chat Or Community Page
High risk, especially if:
- the group is large or semi-public
- you can’t control who forwards it
- the number belongs to an individual (sole trader, freelancer, customer, staff member)
If you’re ever tempted to post “Call Dave on 07…” in a community group, pause and consider whether you have Dave’s explicit permission to post that number there.
This also overlaps with broader privacy and confidentiality issues - for example, sharing screenshots of messages that contain phone numbers can become a problem quickly. The practical risks are similar to the issues covered when looking at the sharing of private messages without consent.
Scenario 4: Sharing A Number For “Marketing Introductions”
This is where businesses often get caught out.
Example: you have a customer’s phone number and you share it with a partner business so they can call them about an offer.
Even if you think the offer is relevant, this can be unlawful if:
- you didn’t tell the customer you would share their number for this purpose
- you don’t have a lawful basis (and often, you’ll need consent)
- the partner’s outreach breaches PECR marketing rules
If your business does any phone-based marketing (including lead follow-ups), it’s worth sanity-checking your approach against UK GDPR and PECR requirements around GDPR and business calls.
What Are The Risks If You Get It Wrong?
From a small business owner’s perspective, the risks aren’t just theoretical. If you share phone numbers in the wrong way, you could face:
1) ICO Complaints And Regulatory Action
Individuals can complain to the ICO if they think you mishandled their personal data. Even if it doesn’t lead to a fine, dealing with an investigation can be stressful and time-consuming.
For serious or repeated breaches, the ICO can issue enforcement action and fines under UK GDPR principles.
2) Civil Claims And Compensation
In some cases, individuals may seek compensation for misuse of personal data. It’s not always about financial loss - claims can involve distress too.
3) Reputational Damage
For small businesses, trust is everything. A single “they gave my number out” complaint in a public review can put off future customers.
4) Data Breach Obligations
If a phone number is shared accidentally (for example, emailing a customer list to the wrong recipient), that may be a personal data breach.
Depending on the risk to individuals, you may need to:
- investigate and contain the breach
- consider notifying the ICO within 72 hours
- consider notifying affected individuals
- keep internal records of what happened and how you responded
Having a documented process (and the right templates) helps you move quickly and calmly when something goes wrong - many businesses build this into a broader compliance setup like a Data Protection Pack.
A Practical Checklist To Share Phone Numbers Safely In Your Business
If you want a simple, workable approach (without turning into a full-time privacy officer), here’s a practical checklist you can implement.
1) Map Where Phone Numbers Come From And Where They Go
List your main sources and sharing points, such as:
- website contact forms
- online checkout and delivery details
- booking systems
- inbound calls
- staff contact lists
- supplier/customer WhatsApp messages
Then list who you share numbers with (couriers, subcontractors, software providers, marketing platforms, etc.).
2) Be Clear With People Upfront
Transparency solves a lot of issues before they start.
Your privacy information should clearly explain:
- why you collect phone numbers
- who you share them with (types of recipients, not necessarily names)
- whether they’ll be used for marketing
- how long you keep them
Keeping retention periods under control is part of good compliance too - if you’re unsure what’s “reasonable”, it helps to follow a clear approach to data retention.
3) Set Rules For Staff (Especially Around Personal Mobiles)
Most accidental sharing happens because staff are moving quickly and trying to help.
At minimum, your internal rules should cover:
- when staff can share a customer’s phone number with third parties
- whether staff can share another staff member’s phone number
- how to handle messages/screenshots containing phone numbers
- approved tools (CRM, email) vs unapproved tools (personal messaging apps)
If you employ staff, it’s also worth ensuring your Employment Contract and workplace policies support confidentiality and proper handling of personal data.
4) Share The Minimum You Need
Ask yourself: do they really need the phone number, or would an email address/order number be enough?
If a phone number is needed, avoid bundling it with extra personal information.
5) Put The Right Agreements In Place
Where other businesses handle phone numbers on your behalf (or you share data regularly), written agreements help avoid misunderstandings and keep everyone accountable.
Depending on your setup, that might include:
- processor terms in supplier contracts
- a formal data sharing arrangement
- confidentiality clauses for subcontractors
6) Have A “What If We Make A Mistake?” Plan
No business gets it perfect 100% of the time. What matters is that you respond properly when something goes wrong.
Your plan should cover:
- who staff should report incidents to
- how you contain the issue (ask recipients to delete, revoke access, etc.)
- how you assess risk
- when you consider notifying the ICO or affected individuals
Key Takeaways
- Is sharing someone’s phone number illegal in the UK? It can be unlawful if you don’t have a lawful basis, you aren’t transparent, or you share it in an excessive or insecure way.
- A phone number is usually personal data, so sharing it is regulated by the UK GDPR and the Data Protection Act 2018.
- If the sharing leads to marketing calls or texts, you also need to comply with PECR.
- Sharing phone numbers with couriers, contractors, and service providers is often lawful where it’s necessary for the performance of a contract - but you should still be transparent and share only what’s needed.
- Be especially cautious about sharing employee phone numbers, posting numbers in group chats, and sharing customer numbers for “introductions” or partner marketing.
- Strong privacy foundations (clear privacy information, internal policies, and the right agreements) reduce the risk of complaints, breaches, and reputational damage.
If you’d like help setting up your privacy compliance (including policies, contracts, and data sharing arrangements), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
