Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, you probably handle more information than you realise. Customer enquiries, online orders, staff records, CCTV footage, marketing lists, invoices, delivery details - it all adds up.
And under the UK GDPR and the Data Protection Act 2018, a lot of that information is classed as personal data. That means there are rules around how you collect it, store it, use it, share it, and delete it.
Getting GDPR personal data right doesn’t have to be complicated, but it does require a clear understanding of what “personal data” actually is and how it shows up in everyday business processes. Once you know what to look for, you can put practical protections in place from day one.
What Is Personal Data Under The UK GDPR (In Plain English)?
Under the UK GDPR, personal data is any information relating to an identified or identifiable living individual.
In other words: if someone can be identified directly (like by name) or indirectly (like by combining a few details), it’s likely personal data.
What Does “Identifiable” Mean For A Business?
“Identifiable” doesn’t just mean you can identify someone immediately from one piece of information. It also includes situations where you (or someone else) could identify them by reasonably linking that information with other data you hold.
For example:
- An email address like jane.smith@company.com obviously identifies a person.
- A customer number might identify someone if you can match it to your CRM records.
- A delivery address might identify someone even if you don’t have their name on file.
This is where many small businesses accidentally underestimate what counts as personal data under GDPR. If your systems can “join the dots”, it counts.
Personal Data Vs Company Data
A common trap is assuming that “business contact details” aren’t personal data. Sometimes they are, sometimes they aren’t.
- Company-only contact details (like info@businessname.co.uk or a generic switchboard number) are less likely to be personal data.
- Named work contact details (like sarah.jones@businessname.co.uk or “Sarah Jones, Sales Manager”) usually are personal data, because they relate to an identifiable individual.
Even if you mainly work B2B, you should assume you’re still dealing with personal data unless you’ve checked carefully.
Examples Of Personal Data Small UK Businesses Handle Every Day
Personal data isn’t just “someone’s name”. In most businesses, it appears across sales, marketing, operations, HR, finance, and customer service.
Here are common examples of personal data you may be collecting or storing:
- Contact details: name, phone number, email address, postal address
- Online identifiers: IP addresses, cookie identifiers, device IDs
- Customer/account details: customer reference numbers, order history, usernames
- Financial-related data: bank account details, payment references, transaction IDs (note: not all payment data is personal data, but a lot of it will be if it links to an individual)
- Location data: delivery routes, appointment locations, check-in data
- Communications: emails, webform messages, call logs, customer support tickets
- Images and video: CCTV footage, event photography, staff profile photos
- Employment-related records: payroll details, performance notes, emergency contact details
One practical way to spot personal data is to ask: “Could this piece of information be linked back to a person?” If yes, treat it as personal data and handle it carefully.
Also worth noting: day-to-day communications like emails often contain personal data, even if the legal purpose of the email is something else entirely.
What About “Special Category” Data And Criminal Offence Data?
Not all personal data carries the same risk. The UK GDPR sets out higher protections for certain types of information because misuse could cause more serious harm.
Special Category Personal Data
Special category data includes information revealing (among other things):
- health information
- racial or ethnic origin
- religious or philosophical beliefs
- trade union membership
- biometric data (where used for identification)
- genetic data
- sex life or sexual orientation
Small businesses commonly handle special category data without realising it - for example, if you keep medical notes for staff absence management, collect dietary requirements for events, or record accessibility needs for customers.
If you process special category data, you typically need a lawful basis and an additional condition for processing (and you should be extra careful about security, retention, and access).
Criminal Offence Data
Criminal offence data (such as criminal record checks) is another higher-risk area. This can come up if you’re hiring for roles involving children, vulnerable adults, or high-trust responsibilities.
If you’re employing staff and you’re not sure what you can ask for, store, or share internally, it’s often helpful to set expectations in an Acceptable Use Policy and related HR policies - and to keep access tightly controlled.
How Should UK Businesses Handle Personal Data In Practice?
Once you accept you’re handling personal data, the next step is building practical habits and systems around it.
The UK GDPR isn’t about creating paperwork for the sake of it. It’s really about accountability - being able to show you handle data fairly, transparently, and securely.
1. Be Clear On Why You’re Collecting The Data (Purpose Limitation)
Before you collect personal data, you should be able to explain:
- what you’re collecting
- why you need it
- how you’ll use it
- how long you’ll keep it
If you collect data “just in case it’s useful later”, that’s where GDPR risk tends to creep in.
2. Collect Only What You Need (Data Minimisation)
Small businesses often ask for too much information in forms because it feels efficient. But under GDPR, you should collect only what’s relevant and necessary.
For example:
- If you’re shipping products, you likely need a name and address - but you probably don’t need a date of birth.
- If you’re running a newsletter, you might only need an email address - not a full address and phone number.
3. Tell People What You’re Doing (Transparency)
This is where a good Privacy Policy matters. It’s one of the simplest ways to explain, in plain language, what data you collect and how you use it.
Transparency also includes how you handle marketing. If you’re emailing marketing content, you’ll need to think about consent and e-privacy rules alongside GDPR.
4. Keep It Secure (Integrity And Confidentiality)
Security isn’t just “having a password”. It’s about taking appropriate technical and organisational steps, based on the nature of your business and the sensitivity of the data.
Practical security measures for small businesses often include:
- strong passwords and multi-factor authentication on key systems
- restricting access (so only people who need the data can see it)
- encrypting laptops/devices, especially for remote work
- secure disposal of paper records
- staff training (because many breaches start with human error)
If you want something practical to build around, a Data Breach Response Plan can help you map out what you’ll do if something goes wrong (and it’s a good way to demonstrate you’ve thought about breach response, which the ICO generally encourages).
5. Don’t Keep It Forever (Storage Limitation)
You should have a retention approach (even a simple one) that answers:
- how long you keep customer records
- how long you keep marketing lists
- how long you keep unsuccessful job applicant data
- how long you keep supplier contact info
This doesn’t mean you have to delete everything quickly. It means you keep data for a sensible business reason (and to meet any legal obligations that apply to you, such as record-keeping requirements) - and you delete or anonymise when it’s no longer needed. (This is general information only and isn’t tax advice.)
When You Share Data Or Use Service Providers: What Should You Put In Place?
Most small businesses don’t process all personal data entirely “in-house”. You might use third parties for things like:
- cloud storage and email hosting
- accounting and payroll
- CRM and marketing email tools
- booking systems
- website analytics
When a supplier processes personal data on your behalf, they’re often acting as a data processor, and you (as the business) are often the data controller.
Why This Matters
Even if a third party causes the issue, you may still carry GDPR risk because you chose the provider and you control why the data is being processed. This is why GDPR places obligations on selecting processors carefully and putting appropriate contracts in place.
In many cases, you’ll need a Data Processing Agreement (or equivalent data processing clauses) to make sure the relationship is properly governed.
Practical Checklist For Working With Suppliers
Before you share personal data with a service provider, it’s sensible to check:
- What data are we sharing, and why?
- Where will it be stored (UK only, or overseas)?
- Who at the supplier can access it?
- How is it protected?
- What happens if there’s a breach?
- What happens when the service ends - do they return or delete the data?
This is also a good moment to confirm you’re being accurate in your customer-facing disclosures (for example, in your privacy policy) about who you share data with and why.
What If Someone Asks For Their Data Or Wants It Deleted?
Under the UK GDPR, individuals have rights over their personal data. As a business, you need a workable process to respond to requests without chaos (or missing deadlines).
Common Requests You Should Be Ready For
- Subject access requests (asking for a copy of their personal data)
- Correction requests (asking you to fix inaccurate data)
- Deletion requests (often called the “right to be forgotten”)
- Objections (especially around direct marketing)
Even if you’re a small operation, you still need to respond appropriately and within the required timeframe (subject to extensions in some cases).
Having an internal process and an Access Request Form can make it much easier to capture what the person is asking for, confirm identity where appropriate, and track your response.
A Quick Note On Deletion Requests
If someone asks you to delete their data, you don’t always have to delete everything immediately. You may need to keep certain records for legal, accounting, or contractual reasons.
The key is to be clear about:
- what you can delete now
- what you must keep (and why)
- how long you’ll keep the remaining data
- what you’ll do with it in the meantime (for example, restrict access)
This is a classic area where tailored advice matters, because the “right answer” depends on your business model and what records you’re legally required to retain.
Key Takeaways
- Personal data under GDPR is any information that relates to an identified or identifiable living person - and it shows up in most small businesses more than you’d expect.
- Personal data includes obvious details (like names and emails) and indirect identifiers (like customer IDs, IP addresses, and records that can be linked back to someone).
- Some personal data is higher-risk, like special category data (health, biometrics, etc.) and criminal offence data, and it requires extra care.
- To handle personal data properly, focus on practical GDPR principles: collect only what you need, be clear about why you need it, keep it secure, and don’t keep it forever.
- If you use suppliers who process personal data for you, it’s often important to have appropriate data processing terms in place, such as a Data Processing Agreement.
- You should be ready for data rights requests (like subject access or deletion) with a clear internal process so you can respond within the required timeframes.
If you’d like help getting your GDPR compliance set up properly - whether that’s a Privacy Policy, data processing terms, or a full GDPR pack tailored to your business - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
