Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, you probably collect customer details every day - names, email addresses, delivery locations, booking info, and payment references.
That data helps you deliver your service, follow up with customers, and grow your business. But it also creates legal responsibilities.
This is where storing customer information under GDPR becomes more than just a compliance buzzword. Under the UK GDPR and the Data Protection Act 2018, you need to store customer information lawfully, securely, and for the right amount of time - and you need to be able to show you’re doing it properly.
Below, we break down what UK SMEs need to know in plain English, with practical steps you can actually implement.
What Counts As “Customer Information” Under GDPR?
Under the UK GDPR, “personal data” is any information that relates to an identified or identifiable individual. In other words, if you can use it (alone or with other info you hold) to work out who someone is, it’s personal data.
For UK SMEs, customer information commonly includes:
- Contact details (name, email address, phone number, postal address)
- Account details (usernames, customer IDs, order history, login details)
- Transactional details (invoices, receipts, refunds, delivery info)
- Communications (support emails, chat logs, call recordings where applicable)
- Marketing data (newsletter signups, preferences, tracking/analytics identifiers)
Some customer data might also be special category data (which has stricter rules), such as health information or biometric data. Even if you’re not a “health business”, this can crop up - for example, if customers tell you medical needs for bookings, accessibility requests, dietary requirements, or allergies.
Once you’re storing customer information, GDPR obligations are triggered. That includes digital storage (CRMs, email inboxes, spreadsheets, cloud drives) and paper storage (printed order forms, signed agreements, handwritten notes).
What Does GDPR Require When Storing Customer Information?
When people search “storing customer information GDPR”, they’re usually trying to answer a simple question: what do I have to do to store this data legally and safely?
At a practical level, UK GDPR requires you to follow core principles when you store personal data, including:
1) You Need A Lawful Basis
You can’t store customer data “just because it might be useful later”. You need a lawful basis under UK GDPR (Article 6). Common ones for SMEs include:
- Contract - you need the data to deliver goods or services (e.g. delivery address).
- Legal obligation - you must keep certain records (often relevant for tax/accounting) - this is separate from any accounting advice, so if you’re unsure about what records you must keep, it’s worth checking with your accountant.
- Legitimate interests - you have a genuine business reason that isn’t overridden by customer rights (e.g. basic fraud prevention).
- Consent - typically used for certain marketing activities, especially where rules require opt-in.
A common trap is relying on consent when you don’t need it (and then forgetting you must allow withdrawal easily). For most sales/fulfilment data, “contract” or “legal obligation” is more appropriate.
2) You Must Be Transparent
Customers have a right to know what you collect, why you collect it, how long you keep it, and who you share it with.
Most businesses communicate this through a Privacy Policy. The key is that it needs to match reality - not just sound good on paper.
3) Data Minimisation: Only Keep What You Need
GDPR expects you to keep personal data “adequate, relevant and limited” to what you need. As a small business, this is actually a big advantage - you can design lean systems from day one.
Ask yourself:
- Do we really need date of birth for this service?
- Do we need a full address, or just an email?
- Can we avoid collecting special category data unless it’s essential?
4) Accuracy: Keep It Up To Date
If you store old or incorrect details, you’re increasing risk - misdeliveries, privacy breaches (sending info to the wrong person), and unhappy customers.
Practical fix: build in regular “data clean” habits (for example, prompt customers to confirm details during reorders or annual renewals).
5) Storage Limitation: Don’t Keep It Forever
This is one of the most misunderstood parts of storing customer information under GDPR. You can’t keep personal data indefinitely “just in case”. You need a reason, and you should set retention periods.
We’ll cover data retention in more detail below.
6) Security: Protect It Properly
You’re required to keep personal data secure using “appropriate technical and organisational measures”. What’s “appropriate” depends on your business size, the type of data, and the risk - but SMEs are absolutely expected to take this seriously.
This includes practical controls like:
- Strong passwords and multi-factor authentication (MFA)
- Access controls (only staff who need it should have access)
- Encryption for devices and backups where appropriate
- Secure disposal of paper records (shredding)
- Policies and staff training (especially if you have a team)
If your team uses work devices (or personal phones/laptops) you’ll also want to think about an Acceptable Use Policy so everyone understands what’s allowed and what isn’t.
Where Can You Store Customer Data (And What Are The Risks)?
There’s no single “approved” system for storing customer information under GDPR. But wherever you store it, you need to manage risk and be able to justify your approach.
Here are common storage methods used by UK SMEs, and what to watch for.
Email Inboxes
It’s normal for customer data to live in emails - booking requests, receipts, support issues, attachments.
Key risks:
- Too many people have inbox access
- Old emails get kept forever with no retention rules
- Accidental forwarding to the wrong recipient
- Attachments containing sensitive information aren’t controlled
Practical steps:
- Restrict shared inbox access
- Use folder structures and deletion rules
- Move key data into your main system (CRM / booking platform) rather than leaving it scattered
Spreadsheets And Local Files
Lots of SMEs start with spreadsheets. They’re simple and cheap - but they can become a GDPR headache if they grow messy.
Key risks:
- Files get emailed around without version control
- They’re stored on unsecured laptops
- Hard to audit who accessed what
Practical steps:
- Use access-controlled cloud storage rather than emailing files
- Encrypt laptops and require strong logins
- Set clear naming conventions and retention rules
CRM Systems, Booking Platforms And Cloud Tools
Using a reputable platform can improve security - but it doesn’t remove your obligations. If your suppliers process personal data on your behalf, they’re generally “processors” and you’re the “controller”.
In many cases, you should have a Data Processing Agreement (sometimes built into the supplier terms) to make sure required GDPR clauses are in place.
Key risks:
- Not understanding where data is hosted or who has access
- Staff permissions are too broad
- No process for deleting data when it’s no longer needed
Paper Records
Paper records still count. If you keep customer intake forms, signed contracts, printed delivery manifests, or handwritten notes, you need to secure them.
Key risks:
- Documents left on desks or in vehicles
- No lockable storage
- Improper disposal
Practical steps:
- Lockable cabinets and controlled access
- Clear rules for taking documents offsite
- Shredding as standard disposal
How Long Can You Keep Customer Information Under GDPR?
GDPR doesn’t set one universal “data retention period”. Instead, it requires you to keep data no longer than necessary for the purpose you collected it.
For SMEs, it helps to think in categories of data and reasons for keeping it.
Common Reasons SMEs Keep Customer Data
- To fulfil current orders or services (contract performance)
- To manage returns, complaints, and warranty issues (contract/legitimate interests)
- To keep tax and accounting records (legal obligation) - this is general information only, and you should speak to your accountant about what you need to keep for your specific situation.
- To defend legal claims (legitimate interests)
- To market to existing customers (this often depends on the channel and the rules under the Privacy and Electronic Communications Regulations (PECR) - for example, email/SMS marketing usually needs consent unless the “soft opt-in” applies, while some postal marketing may be possible on legitimate interests with a clear opt-out)
Where businesses get caught out is keeping everything forever because it feels safer. In reality, unnecessary retention increases your risk - if you suffer a cyber incident, you’re exposed for more data than you needed to hold.
What Should A Small Business Do In Practice?
Most SMEs benefit from a simple retention approach:
- Set retention periods by data type (sales records, customer accounts, marketing lists, support tickets).
- Write them down (even a basic internal retention schedule is a strong start).
- Build deletion into your processes (manual reminders or automated deletion where possible).
- Regularly review what you store and whether you still need it.
If you’re not sure what retention periods make sense for your business model, it’s worth getting tailored advice - especially if you handle sensitive data or operate in a regulated space.
What About Subject Access Requests And Customer Rights?
Storing customer information under GDPR isn’t just about keeping it secure. You also need to be able to find it, provide it, correct it, or delete it when required.
Customers have rights over their personal data, including the right to:
- Access their personal data (often called a “subject access request”)
- Rectification (correct inaccurate data)
- Erasure (delete data in certain circumstances)
- Restrict processing (limit how it’s used)
- Object to certain processing (like some marketing)
For small businesses, the key is having a workable internal process. You don’t need a large compliance team - but you do need to respond within GDPR timeframes and avoid disclosing someone else’s data by mistake.
Many businesses use a simple Access Request Form to help manage requests consistently.
Also, if you use tracking tools on your website, cookie-related data can still be personal data in many cases. Separately, the rules under PECR generally require consent for non-essential cookies and similar tracking technologies. That’s why it’s important your Cookie Policy and consent settings align with what your site actually does.
How Do You Keep Customer Data Secure (Without Overcomplicating It)?
Security can feel intimidating, but for SMEs the biggest wins often come from a handful of basic controls done well.
Practical Security Steps For UK SMEs
- Limit access: only give customer data access to team members who truly need it.
- Use MFA: especially for email, cloud drives, CRM tools, and admin accounts.
- Secure devices: encryption, automatic screen locks, and password policies.
- Backups: tested backups that are protected from unauthorised access.
- Train your team: most breaches start with human error (phishing, wrong recipient, weak passwords).
- Plan for incidents: know what you’ll do if something goes wrong.
It’s also worth having a documented incident process, because if you have a breach, you may need to assess and potentially notify the ICO (and sometimes affected individuals). A Data Breach Response Plan can make a stressful situation much more manageable.
If you want a more joined-up compliance approach (rather than patching things as you grow), some businesses put foundational documents and processes in place through a GDPR package.
Key Takeaways
- Storing customer information under GDPR isn’t just about cybersecurity - it’s about lawful basis, transparency, retention, security, and being able to action customer rights.
- Customer information includes anything that can identify a person, whether stored digitally (CRM, email, spreadsheets) or on paper.
- You should only collect and keep the customer data you need, for as long as you need it - and you should be able to justify your retention periods.
- Security should be practical and proportionate, but it must be real (access controls, MFA, secure devices, staff training, and clear procedures).
- You need a workable process for subject access requests and other customer data rights, so you can respond promptly and safely.
- Having the right documents in place (like a Privacy Policy and processor terms) helps you show compliance and reduce risk as your business grows.
If you’d like help getting your data protection practices in shape - whether that’s reviewing your Privacy Policy, tightening your data handling processes, or putting the right GDPR documentation in place - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
Alex SoloCo-Founder
