PCP Examples: Processing Customer Data Under GDPR in the UK

If you run a small business, chances are you process customer data every day - collecting enquiries, taking payments, sending bookings, managing deliveries, and replying to support emails.

The tricky part is that GDPR (and the UK GDPR, alongside the Data Protection Act 2018) doesn’t just apply to big tech companies. It can apply to you whenever you handle information that can identify a person.

In this guide, we’ll break down what “processing” really means, share a practical PCP (processing customer personal data) example library (so you can spot common issues quickly), and explain the key legal steps you should have in place to protect your business from day one.

Note: This article is general information for UK businesses and isn’t legal advice. The right approach can depend on your exact data flows, customer type (consumer vs business), and the systems you use.

What Does “Processing Customer Data” Mean Under UK GDPR?

Under the UK GDPR, processing is a very broad concept. It basically covers anything you do with personal data, including:

• collecting it (eg enquiry forms, phone orders, booking forms)
• storing it (eg CRM systems, spreadsheets, email inboxes)
• using it (eg fulfilling an order, replying to a customer)
• sharing it (eg sending an address to a courier)
• analysing it (eg marketing analytics, customer segmentation)
• deleting it (yes - that’s processing too)

Personal data is any information that identifies someone (or could identify them when combined with other information). That might be obvious, like a name or email address - but it can also include:

• phone numbers
• postal addresses
• IP addresses and device identifiers (common for websites)
• order history linked to a customer account
• CCTV footage (where people are identifiable)

So when people search for a PCP example in a GDPR context, what they’re often really looking for is: “What are common examples of processing customer personal data, and how do I do it lawfully?”

PCP Example Library: Common Ways Small Businesses Process Customer Data

Below are practical PCP example scenarios that come up for UK SMEs all the time. If you recognise your business in any of these, it’s a sign you should make sure your GDPR foundations are in place.

PCP Example 1: Website Contact Forms And Enquiries

If you collect names, emails, phone numbers, or enquiry details through your website, you’re processing personal data.

Key GDPR points:

• You need to tell people what you’ll do with their data (usually via a Privacy Policy).
• You should only collect what you need (data minimisation).
• You need a lawful basis (often “legitimate interests” for handling enquiries, or “contract” where you’re taking steps a customer asks you to take before providing a service).

PCP Example 2: Taking Payments And Issuing Invoices

Taking a payment (online or in-person) usually involves processing customer contact details and transaction information.

Key GDPR points:

• Some data processing is necessary to perform a contract (eg delivering the product/service the customer paid for).
• If you use third-party payment providers, you should understand who is responsible for what (data controller vs processor) - and in many setups, payment providers act as independent controllers for some of the processing.
• Keep finance data secure and limit staff access to those who actually need it.

PCP Example 3: Online Accounts, Subscriptions, And Customer Portals

If customers create accounts, save payment details, or manage subscriptions, you’re likely processing more data over a longer period - which increases compliance risk.

Key GDPR points:

• You’ll need clear retention rules (how long you keep account data).
• You should document your lawful basis for different activities (account management vs marketing).
• You need a straightforward way for customers to exercise GDPR rights (eg access requests, deletion requests).

PCP Example 4: Email Marketing And Newsletters

This is one of the most common areas where small businesses trip up.

Key GDPR points:

• Marketing rules also involve PECR (Privacy and Electronic Communications Regulations), not just UK GDPR.
• Whether you need consent depends on who you’re marketing to (individuals vs corporate subscribers) and how you got the email address - and there are specific rules (including the “soft opt-in” in some cases).
• You should keep records showing how/when someone opted in (if you rely on consent) and make opting out easy.

PCP Example 5: Cookies And Website Analytics

If your website uses analytics or marketing tools, you may process IP addresses and device identifiers.

Key GDPR points:

• Under PECR, cookies (and similar technologies) that aren’t strictly necessary for your site/service generally require user consent - this commonly includes analytics and marketing/advertising cookies.
• Your site should disclose cookie use clearly via a Cookie Policy.
• You should be able to evidence consent where required (and make it easy to withdraw).

PCP Example 6: Delivery, Couriers, And Fulfilment Partners

If you share names, phone numbers, or addresses with couriers or fulfilment partners, you’re processing and disclosing personal data.

Key GDPR points:

• You should only share what’s necessary for the delivery.
• Depending on the arrangement, a courier/fulfilment partner may act as an independent controller (or, in some cases, your processor). If a third party is processing personal data on your behalf as a processor, you’ll typically need a proper data processing agreement.
• You should do basic due diligence on suppliers (security measures, breach processes, and any sub-processors where relevant).

PCP Example 7: CCTV In Shops, Offices, Or Venues

CCTV often counts as personal data if individuals are identifiable, even if you’re only using it for security.

Key GDPR points:

• You should have a clear purpose (eg theft prevention) and avoid “just in case” surveillance.
• Use signage and explain CCTV use in your privacy information.
• Store footage securely and set sensible retention periods.

The goal of these PCP example scenarios isn’t to overwhelm you - it’s to help you quickly identify where GDPR applies in your day-to-day operations, so you can manage risk properly.

How Do You Choose A Lawful Basis For Processing Customer Data?

One of the biggest GDPR concepts is lawful basis. In plain English: you need a legally recognised reason to process personal data.

For many small businesses, the most relevant lawful bases are:

Contract

You can process data if it’s necessary to perform a contract with the customer (or take steps at their request before entering into a contract).

• PCP example: A customer books your services - you use their address and contact details to confirm the booking and provide the service.

Legal Obligation

You can process data if you must do so to comply with law.

• PCP example: Keeping invoices and payment records for tax and accounting obligations.

Legitimate Interests

You can process data if you have a genuine business reason, and it’s not overridden by the individual’s rights and interests. This often means you should think carefully (and in many cases document a legitimate interests assessment / balancing test).

• PCP example: Basic fraud prevention checks, or following up on an enquiry where the customer has asked for information.

Consent

Consent needs to be freely given, informed, specific, and easy to withdraw.

• PCP example: A customer ticks an unticked checkbox to receive marketing emails, and you keep a record of that opt-in.

A common mistake is trying to rely on consent for everything. For many businesses, “contract” and “legal obligation” do the heavy lifting, while consent is most relevant for certain direct marketing scenarios and non-essential cookies/technologies.

If you’re unsure which lawful basis applies in your situation, it’s worth getting advice - choosing the wrong basis (or not being consistent) can create compliance issues later, especially if you receive a complaint or a subject access request.

What GDPR Documents Should You Have In Place As A Small Business?

Once you’ve identified your PCP example activities (how you process customer data), the next step is making sure the paperwork and customer-facing information matches what you actually do.

For most SMEs, these are the key documents to consider:

Privacy Information (Privacy Policy)

Your privacy information should clearly explain:

• what personal data you collect
• why you collect it (purposes and lawful bases)
• who you share it with (eg couriers, software providers)
• how long you keep it
• customers’ rights under UK GDPR
• how to contact you about data protection

This is typically done through a Privacy Policy on your website, plus just-in-time notices where appropriate (eg at the point of data collection).

Cookie Disclosures

If your site uses cookies beyond what’s strictly necessary, you’ll generally need clear cookie disclosures and (in many cases) consent tools.

A properly drafted Cookie Policy helps you explain what cookies you use and why, in a way customers can actually understand.

Processor Contracts

If a supplier processes personal data on your behalf (common examples include email marketing tools, CRMs, cloud hosting, booking platforms), you may need a written contract with specific clauses required under the UK GDPR.

That’s where a data processing agreement often comes in.

Terms That Match Your Data Use

Your customer-facing terms don’t replace your GDPR obligations, but they should line up with how you operate - especially if you run an online business, take bookings, or offer subscriptions.

For example, your Website Terms and Conditions can help set expectations about accounts, acceptable use, and service communications (while your privacy documents cover the GDPR-specific privacy information).

If you want a more “done-with-you” approach to compliance, a packaged solution like a GDPR package can be a practical way to cover the essentials without missing key steps.

Security, Data Breaches, And Retention: The Practical Compliance Steps People Forget

GDPR compliance isn’t just about having the right policies on your website. You also need operational practices that match what you’re promising customers.

Here are the areas small businesses often overlook - and where issues can escalate quickly.

Data Security Should Be Proportionate (But Real)

You’re expected to take “appropriate technical and organisational measures” to protect personal data. That doesn’t mean enterprise-level security tools - but it does mean you should have sensible safeguards, such as:

• strong passwords and multi-factor authentication on key systems
• limited staff access to customer data (need-to-know basis)
• secure device practices (screen locks, encryption where possible)
• staff training on phishing and suspicious requests
• secure disposal of paper records

Have A Plan For Data Breaches

A data breach isn’t only a hacker. It can also be:

• sending an email to the wrong customer
• losing a laptop with customer data
• accidentally giving account access to the wrong person

Having a clear internal process can reduce panic and improve your response time. A Data breach response plan can help you set out who does what, how to investigate, and when you may need to notify the ICO and affected customers.

Retention: Don’t Keep Data “Forever”

A lot of businesses hold onto customer data indefinitely because it feels safer or more convenient. GDPR generally expects you to keep personal data only as long as you need it for the purpose you collected it.

PCP example: If a customer made an enquiry three years ago and never became a customer, do you still need their full enquiry history sitting in your inbox?

Retention is one of those compliance areas that’s easier to set up early than to fix later - especially once you’re dealing with multiple systems and staff members.

Key Takeaways

• A PCP example under GDPR can be as simple as collecting enquiries through a contact form or sharing a delivery address with a courier - “processing” covers almost anything you do with personal data.
• Most small businesses process customer data under lawful bases like contract, legal obligation, or legitimate interests; consent is most relevant for certain direct marketing and cookies/technologies (and PECR also applies).
• Your customer-facing documents should match your real-world practices, including a clear Privacy Policy and (where relevant) a Cookie Policy.
• If suppliers handle personal data for you, you may need GDPR-compliant contracts such as a data processing agreement and you should do basic due diligence on their security.
• Practical compliance matters: proportionate security measures, clear retention periods, and a workable data breach response plan can significantly reduce your risk.
• If you’re not sure whether your processing is compliant, getting advice early is usually far cheaper (and less stressful) than fixing issues after a complaint or data breach.

If you’d like help getting your GDPR setup right - including your Privacy Policy, cookie disclosures, and data processing agreements - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.