What Is Personal Data Under UK GDPR? How to Handle It

If you run a small business, you probably deal with personal data every single day - even if you don’t think of it that way.

It could be customer emails in your CRM, staff details in payroll, CCTV footage in your shop, or even a WhatsApp message from a client. The challenge is that once you collect personal data, the UK GDPR and the Data Protection Act 2018 start to matter.

Don’t worry - GDPR compliance doesn’t have to be overwhelming. When you understand what personal data is (and what it isn’t), you can put practical processes in place that protect your business and build customer trust from day one.

What Is Personal Data (And Why Does It Matter For Your Business)?

Under UK GDPR, personal data means any information that relates to an identified or identifiable living individual.

That definition is wider than most business owners expect. It’s not just “private” information - it’s anything that can identify someone directly or indirectly.

Common Examples Of Personal Data In Small Businesses

Here are everyday examples of personal data you might be processing:

• Contact details (names, phone numbers, email addresses, delivery addresses)
• Customer account details (usernames, account IDs, purchase history linked to a person)
• Employee information (NI numbers, emergency contacts, bank details, performance notes)
• Device and online identifiers (IP addresses, cookie identifiers, ad IDs)
• Images and footage (CCTV or photos where individuals can be recognised)
• Voice recordings (call recordings, voice notes)
• Communications (emails, chat logs, support tickets linked to a person)

What matters is whether the information can identify someone - on its own or when combined with other information you hold.

What Isn’t Personal Data?

Not everything you store is personal data. For example:

• Truly anonymised data (where individuals can’t be identified at all, even with other data you hold)
• Company-only information (like a generic business email that doesn’t identify a person, e.g. info@company.com - although in practice, many “business” emails do identify individuals, like jane@company.com)
• Aggregated statistics that don’t identify individuals (e.g. “40% of customers are based in London”)

Be careful with “anonymised” data. If you can still link it back to a person with reasonable effort (for example, by matching an ID number to a customer record), it may still be personal data (often referred to as “pseudonymised” rather than anonymised).

Personal Data vs Special Category Data: What’s The Difference?

Some personal data is treated as more sensitive under UK GDPR. This is called special category data, and it comes with extra rules and higher risk.

Special category data includes information about a person’s:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data used for identification (for example, fingerprint access control)
• health information
• sex life or sexual orientation

There’s also a separate category commonly called “criminal offence data” (information about criminal convictions and offences), which has its own restrictions.

Why This Matters For Small Businesses

Many businesses assume special category data is only relevant to hospitals or big employers. In reality, you might be processing it if you:

• collect medical information for staff absences or accommodations
• run a gym, wellness studio, clinic, or health service
• use biometric timekeeping or access systems
• record dietary requirements that reveal religious beliefs (depending on context)

If you process special category data, you generally need both a lawful basis for processing and a separate condition that allows you to process special category data.

If you’re not sure what category of data you hold, it’s worth getting advice early. Special category data is one area where “we’ll deal with it later” can turn into a compliance headache.

How Should You Handle Personal Data Under UK GDPR?

UK GDPR doesn’t just say “be careful”. It sets out core principles that should guide how you handle personal data in your business.

Think of these as your compliance foundation - the rules you should be able to explain (and evidence) if you’re ever challenged by a customer, a supplier, an employee, or the ICO.

1. Be Clear And Fair (Transparency And Lawfulness)

You should process personal data fairly, lawfully, and transparently. Practically, that means:

• you tell people what you’re doing with their personal data
• you don’t use it in a way they wouldn’t reasonably expect
• you have a valid “lawful basis” (more on this below)

Most small businesses deal with transparency through a properly drafted Privacy Policy and (where relevant) clear privacy notices at the point of collection (for example, checkout pages, enquiry forms, or onboarding packs).

2. Only Use Data For Specific Purposes (Purpose Limitation)

You should collect personal data for specific, explicit purposes - and not later use it in a way that doesn’t match those purposes.

For example, if you collect customer details to deliver a product, that doesn’t automatically mean you can add them to marketing lists unless you’ve got the right permissions and comply with the UK’s e-privacy marketing rules (PECR), or you can clearly rely on another lawful basis where that’s permitted.

3. Don’t Collect More Than You Need (Data Minimisation)

A practical GDPR habit is asking: Do we actually need this?

If your contact form asks for a home address when you only need an email address to respond, you’re collecting more personal data than necessary - which increases your compliance burden and your risk if there’s a breach.

4. Keep It Accurate (Accuracy)

If personal data is inaccurate, you should correct it (or delete it) without undue delay.

This matters in customer databases, but also in HR records. Inaccurate data can lead to operational mistakes (like sending the wrong person’s information, or paying wages incorrectly) and can also create legal exposure.

5. Don’t Keep It Forever (Storage Limitation)

You should only keep personal data for as long as you need it for the purpose you collected it.

In reality, retention is one of the most common weak spots for growing businesses. You start with “we’ll just keep it in case” - and years later, you’ve got outdated personal data everywhere.

A good approach is to set retention rules by category (customer orders, invoices, marketing leads, employee records, CCTV footage) and build them into your processes. This is also where an overall GDPR package can be helpful, because it forces you to document what you keep and why.

6. Keep It Secure (Integrity And Confidentiality)

You’re expected to take appropriate technical and organisational steps to protect personal data.

For a small business, “appropriate” usually includes:

• using strong passwords and multi-factor authentication where possible
• limiting access (only staff who need the data should have access)
• encrypting devices and using reputable cloud storage
• training staff on phishing and social engineering risks
• having clear policies about personal devices and accounts used for work

If you’ve got a team, it’s often worth formalising expectations with an Acceptable Use Policy so staff understand what’s okay (and what isn’t) when handling customer and employee personal data.

7. Be Able To Prove It (Accountability)

This is the part many businesses miss: GDPR isn’t just about doing the right thing - it’s about being able to demonstrate that you’re doing the right thing.

That can mean keeping:

• basic records of what personal data you hold and why
• contracts with suppliers who process data for you
• documented security steps
• breach response procedures

What Lawful Basis Do You Need To Use Personal Data?

To process personal data, you need a valid “lawful basis” under UK GDPR.

For most small businesses, the main lawful bases you’ll rely on are:

Contract

You can process personal data where it’s necessary to perform a contract with the individual (or take steps at their request before entering a contract).

Example: taking payment details and delivery info to fulfil an online order.

Legal Obligation

You can process personal data where you must do so to comply with a legal obligation.

Example: payroll and tax records.

Legitimate Interests

You can process personal data where it’s necessary for your legitimate interests (or those of a third party), balanced against the person’s rights and expectations.

Example: basic fraud prevention, network security monitoring, and some limited marketing activities where permitted - noting that direct marketing by email/SMS is also regulated by PECR and often requires consent.

Legitimate interests can be useful, but it’s not a “free pass”. You should still check that what you’re doing is proportionate and that people would reasonably expect it.

Consent

You can process personal data if the person has given valid consent (freely given, specific, informed, unambiguous - and easy to withdraw).

Example: email marketing sign-ups where someone ticks an opt-in box.

In practice, many businesses lean on consent when they don’t need to - and that can backfire, because consent can be withdrawn. Often, contract or legitimate interests might be a better fit, depending on the activity.

If you’re processing special category data, you’ll need extra conditions as well - so it’s worth getting this part right upfront.

Practical GDPR Steps: A Simple Personal Data Checklist For Small Businesses

GDPR can feel like a big framework, but the day-to-day compliance steps are usually straightforward once you know what to prioritise.

Step 1: Map What Personal Data You Collect

Start by listing what personal data you collect and where it sits, for example:

• website forms and cookies
• email inboxes
• accounting and invoicing tools
• HR folders and payroll systems
• booking platforms, CRMs, marketing tools
• CCTV or access control systems

This sounds basic, but it’s the foundation for everything else (privacy notices, retention, security, breach response).

Step 2: Check Your Customer-Facing Information

If you collect personal data through your website or sales process, make sure you have:

• a clear privacy policy and cookie information (where relevant)
• proper opt-in wording for marketing (where required under PECR)
• an explanation of how people can contact you about privacy rights

Step 3: Put Supplier Contracts In Place

If you use service providers who handle personal data for you (think website hosts, email marketing tools, cloud storage, booking systems), you may need appropriate data processing terms in place, including UK GDPR Article 28 processor clauses where a supplier is acting as your processor.

This is especially important when suppliers store data outside the UK, or where they have broad access to your customer and employee personal data.

Step 4: Train Your Team (And Document It)

Most personal data problems in small businesses happen because someone made a simple mistake - sending an email to the wrong person, sharing a spreadsheet incorrectly, falling for a phishing email, or using unsecured devices.

Training doesn’t need to be complicated, but it should be regular and practical, and you should keep records that it happened.

Step 5: Be Careful With Monitoring, CCTV, And Audio

If you monitor staff or visitors (for example, CCTV in a shop or surveillance in a warehouse), you’re likely processing personal data.

Before rolling out cameras, make sure you’ve thought through the privacy implications and your policies. A quick sense-check: cameras in the workplace can be lawful, but you usually need a clear purpose, proportional use, and transparency.

The same applies to online monitoring. If you’re considering tracking staff activity on work devices, be cautious - internet monitoring at work raises privacy and fairness issues, and you’ll want a policy-backed approach.

Step 6: Have A Plan For Data Breaches

A personal data breach isn’t just a hacker story. It can include:

• lost laptops or phones
• misdirected emails
• unauthorised access by staff
• accidentally publishing customer details

When something goes wrong, the clock can start ticking quickly (including potential notification obligations). Having a Data Breach Response Plan means you’re not making high-stakes decisions under pressure.

Step 7: Set Up A Process For Subject Access Requests (SARs)

Individuals can ask you for access to the personal data you hold about them (this is a “subject access request”).

This is one of those GDPR obligations that can catch small businesses off guard, because requests can come in through informal channels - even social media messages.

It helps to have a consistent internal process and template, and you can also use an Access Request Form to manage requests efficiently and keep the scope clear.

Key Takeaways

• Personal data is any information relating to an identified or identifiable living person - and most businesses handle it daily (customers, staff, marketing leads, and online identifiers).
• Special category data (like health information or biometric data) is more heavily regulated, so you’ll want extra care and clear justification if you process it.
• To use personal data lawfully, you need a lawful basis (commonly contract, legal obligation, legitimate interests, or consent).
• Good GDPR handling is practical: collect only what you need, keep it accurate, don’t keep it forever, and take sensible security steps.
• Small businesses should prioritise the essentials: clear privacy information, supplier contracts (including required processor terms), staff training, retention rules, and a process for breaches and subject access requests.
• GDPR is not just about doing the right thing - it’s about being able to prove you’re doing the right thing through documented policies and processes.

If you’d like help getting your GDPR compliance sorted (or sense-checking how your business handles personal data), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.