GDPR for Tradespeople: Customer Data, Photos on Site & Marketing Rules
UK GDPR (retained from EU GDPR via the Data Protection Act 2018) applies to any tradesperson who holds personal data about customers — including names, addresses, phone numbers, and email addresses. Sole traders are data controllers and must register with the ICO (currently £40/year for sole traders) unless exempt. Key obligations: tell customers what data you hold and why; don't keep data longer than needed; get permission before sending marketing messages; don't photograph identifiable people on site without consent; report data breaches within 72 hours.
Summary
Data protection sounds like something for big companies with IT departments, but it applies to every sole trader, partnership, or limited company that holds personal information about customers. For most tradespeople, this means their customer list, invoicing records, quote history, and any photos or notes about a job. UK GDPR (the retained version of EU GDPR, incorporated into UK law via the Data Protection Act 2018) sets out the obligations.
The good news: the obligations for small tradespeople are relatively straightforward, and compliance is mostly common sense — tell people what you're doing with their data, use it only for the purpose you said, keep it secure, and delete it when you no longer need it. The complications arise around marketing (you cannot add someone to a mailing list without their permission), photos of work on site (which may include identifiable elements), and responding to data subject access requests (SAR) from customers who ask what data you hold about them.
ICO registration (Information Commissioner's Office) is required for most tradespeople who process personal data, unless exempt. The small business tier costs £40/year. Non-registration is technically a criminal offence — fines are issued. The ICO's approach to small businesses is educational rather than punitive, but the requirement is real.
Key Facts
- UK GDPR — the retained version of EU GDPR; incorporated into UK law via Data Protection Act 2018; applies from 25 May 2018
- ICO (Information Commissioner's Office) — the UK data protection regulator; enforcement body
- ICO registration — most tradespeople are required to register (£40/year for Tier 1 — small data processors); exemptions are narrow
- Data controller — any person or business that determines how and why personal data is processed; most tradespeople are data controllers
- Personal data — any information that can identify a living person; customer name, address, phone number, email, photos showing a person, invoices
- Special category data — health data, biometrics, religion, etc.; very strict rules; tradespeople rarely process this
- 6 lawful bases for processing — contract performance, legal obligation, vital interests, public task, legitimate interests, consent
- For customer data (invoicing, quotes) — lawful basis is typically "contract performance" or "legitimate interests"; no consent needed
- For marketing emails/texts — lawful basis must be "consent" (opted in) or "soft opt-in" (existing customer, similar products/services, opt-out offered)
- PECR (Privacy and Electronic Communications Regulations 2003) — governs marketing by phone, text, and email; separate from UK GDPR but related
- Data retention — keep customer data only as long as needed; HMRC requires 6 years for business records (tax purposes); anything beyond that needs a specific reason
- Data security — take "appropriate technical and organisational measures"; for small trades: encrypted devices, strong passwords, secure email, physical document security
- Data breach — if personal data is lost, stolen, or accidentally disclosed, you may need to report to ICO within 72 hours; always document breaches
- Data Subject Access Request (DSAR/SAR) — customers can ask you to provide all data you hold about them; you have 1 month to respond (extendable to 3 months for complex requests); free in most cases
- Right to erasure (right to be forgotten) — customers can ask you to delete their data; you must comply unless you have a legal reason to retain it (e.g., unpaid invoice, tax records)
- Privacy notice — you should provide a privacy notice to customers explaining what data you collect, why, how long you keep it, and their rights
Quick Reference Table
Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.
Try squote free →| Data Type | Lawful Basis | Retention Period | Key Obligation |
|---|---|---|---|
| Customer contact details (name, address, phone) | Contract performance | 6 years (HMRC) | Secure storage; provide on SAR |
| Invoices and quotes | Legal obligation (HMRC) | 6 years minimum | Secure; not shared without reason |
| Email/text correspondence | Legitimate interests | Duration of business relationship + 6 years | Accessible on SAR |
| Photos of completed work (no people) | Legitimate interests | Until no longer relevant | Inform customer you may use for portfolio |
| Photos with identifiable people | Consent | Until consent withdrawn | Must obtain explicit consent before taking |
| Marketing contact list | Consent (or soft opt-in) | Until opt-out or consent withdrawn | Must include opt-out mechanism |
| CCTV (your vehicle/premises) | Legitimate interests | Typically 30 days | ICO guidance on CCTV applies |
| Employee data | Contract of employment | Duration + 6 years | Separate employment law obligations |
Detailed Guidance
ICO Registration: Who Needs to Register
Most tradespeople need to register with the ICO. The ICO fee exemptions are narrow:
- Not-for-profit organisations (no fee)
- Sole traders processing personal data only for their own personal, family, or household purposes (not business)
- Processing data for judicial or court functions
If you are a sole trader keeping a customer list and sending invoices, you are a data controller who processes personal data for business purposes and must register. The fee is £40/year for Tier 1 (turnover under £632,000 and fewer than 10 employees).
Register at ico.org.uk/registration. The process takes 15–20 minutes.
Lawful Basis for Processing Customer Data
You must have a lawful basis for processing personal data. For most customer data in trades, the relevant bases are:
Contract performance (Article 6(1)(b)): When you have a contract with the customer (or are about to enter one), you can process their data to fulfil that contract — taking their address to do the job, invoicing them, communicating about the project. This is the standard basis for customer data.
Legal obligation: Some data processing is required by law — HMRC record-keeping, Building Control notifications, Gas Safe registration of work. These comply on the "legal obligation" basis.
Legitimate interests: Your legitimate business interest in managing customer relationships, maintaining records, defending against legal claims. This is a balance test — your interest must not be overridden by the customer's rights and interests. Holding customer contact details after a job for follow-up or referral purposes is typically legitimate interests.
Consent: Required for marketing messages and for processing data for purposes outside the above. Consent must be freely given, specific, informed, and unambiguous — a pre-ticked box does not constitute consent.
Marketing Rules: Texts and Emails
This is where many tradespeople inadvertently breach the law. The Privacy and Electronic Communications Regulations (PECR) govern marketing by phone, text, and email — and the rules are strict.
You CAN send marketing by text/email to:
- Existing customers, about similar products and services, where you gave them a clear opportunity to opt out at the time of their last purchase and on every subsequent marketing message ("soft opt-in")
- Anyone who has explicitly opted in to your marketing
You CANNOT:
- Add a customer to your marketing list without their knowledge or consent
- Send marketing texts/emails if they opted out (unsubscribed)
- Buy a list of phone numbers and text them without proof of consent
Soft opt-in in practice: A customer who had a bathroom fitted by you can be texted about your boiler servicing offer — the services are similar, they're an existing customer, and you offered them a way to opt out at the time of the job. Include "Reply STOP to unsubscribe" in every marketing text.
Cold calling: Residential phone numbers on the Telephone Preference Service (TPS) cannot be cold-called; you must check against the TPS register before calling. Sole traders are covered by TPS for their personal numbers.
Photos on Site: Privacy Considerations
Taking photos of your work is legitimate for portfolio and portfolio use — but consider:
Photos of work only (no people visible): Generally fine under legitimate interests; inform customers as a matter of courtesy that you may photograph completed work for your portfolio.
Photos that include identifiable people (customers, neighbours): You need explicit consent from the identifiable individuals before taking and using these photos. This includes children — extra care is required. Do not photograph adults or children without their knowledge and consent.
Photos of interiors: Customers may consider detailed interior photos of their home as personal data (revealing their home layout, belongings, lifestyle). As a matter of respect and data protection, inform customers and offer to exclude photos that show particularly private areas or identifiable personal items.
Use of photos: If you use work photos on your website, social media, or platforms like Checkatrade, the customers whose properties are shown have a right to object and request removal. Addressing this upfront (by informing customers and getting a simple verbal or written agreement) prevents future requests.
Responding to Data Subject Access Requests (SARs)
If a customer (or ex-customer) asks: "What information do you hold about me?" — that is a Subject Access Request. You must:
- Respond within 1 calendar month (extendable to 3 months for complex requests)
- Provide all personal data you hold about that individual
- Provide it for free (unless the request is manifestly unfounded or excessive)
- Include a description of: why you hold it, where it came from, who it has been shared with, how long you plan to keep it
What to provide: customer name and contact details, invoices and quotes, emails and texts, any notes about the job, photos. You do not need to provide information that would reveal information about other people or that is protected by legal professional privilege.
For most tradespeople, a SAR from a customer is rare. If it happens, take it seriously — it often precedes a complaint or legal claim. Respond professionally and completely.
Data Breaches: What Counts and What to Do
A data breach is any incident where personal data you hold is lost, destroyed, altered, disclosed to someone who shouldn't have access, or accessed without authorisation. Examples:
- Your phone or laptop with customer data is stolen
- You accidentally email a quote containing customer details to the wrong person
- Your email account is hacked and customer data is accessed
- A paper quotation book is lost
What to do:
- Contain the breach (change passwords, retrieve mis-sent emails where possible)
- Document what happened, what data was affected, and how many people are affected
- Assess the risk to individuals
- If the breach is likely to result in a risk to the rights and freedoms of individuals, report to ICO within 72 hours
- If the risk is high, also notify the affected individuals directly
For most small breaches (one email sent to wrong address with a customer name and address), the risk is low and ICO notification is not required — but you must document it internally.
Privacy Notice
You should provide customers with a privacy notice when you first collect their data — this can be a brief note in your quote/contract, a section of your website, or a separate data protection notice. It should cover:
- Who you are (name, contact, ICO registration number)
- What data you collect
- Why you collect it (lawful basis)
- How long you keep it
- Who you share it with (if anyone)
- Customers' rights (access, erasure, objection, complaint to ICO)
A short paragraph in your standard terms and conditions is sufficient for most small tradespeople.
Frequently Asked Questions
Do I need to register with the ICO as a sole trader?
If you process personal data for business purposes — which keeping a customer list and invoicing clients constitutes — yes. The exemptions are narrow. The fee is £40/year for Tier 1 (small businesses). The ICO's online self-assessment tool (ico.org.uk) can confirm whether you need to register. Non-registration is a criminal offence; the ICO has fined businesses for failure to register, though enforcement against very small businesses tends to follow other complaints.
Can I post photos of a customer's new bathroom on social media without asking?
Technically, if the photos don't contain identifiable people and don't reveal private information, the legal position is debatable — you have a legitimate interest in showcasing your work. However, best practice is to inform the customer and get a simple verbal "yes, that's fine." Most customers are happy with this, and it avoids any future complaint. Posting photos that include family photos, medication, or other private items visible in the background is a clear privacy breach.
A former customer is demanding I delete all data about them. Do I have to?
The Right to Erasure (right to be forgotten) allows individuals to ask for their data to be deleted. However, you are not required to delete data that you need to retain for legal compliance — including HMRC tax records (which must be kept 6 years). You should delete data that you no longer need for legitimate business purposes (e.g., a prospect who never became a customer; a customer from 10+ years ago where your legal retention period has passed). Respond to the request in writing, explaining what you have deleted and what you retain and why.
Do I need a privacy policy on my website?
Yes, if your website collects any personal data — including if you use Google Analytics, have a contact form, or use cookies. The privacy policy must explain what data is collected, why, and the user's rights. For a simple website with no forms or analytics, a brief data protection statement suffices. ICO has a template for small businesses on their website.
Regulations & Standards
UK GDPR — retained EU General Data Protection Regulation; incorporated via Data Protection Act 2018; effective 25 May 2018
Data Protection Act 2018 — UK implementing legislation; supplements and modifies EU GDPR for UK context
Privacy and Electronic Communications Regulations 2003 (PECR) — marketing by phone, text, and email
ICO Registration Regulations — data protection fee requirements for data controllers
ICO — Small Business Guide to GDPR — Official ICO guidance for small businesses
ICO — Direct Marketing Guide — Marketing texts, emails, and PECR compliance
ICO — Data Breach Reporting — When and how to report data breaches
Federation of Master Builders — GDPR for Builders — Practical guidance for tradespeople
contracts — Privacy notice in written contracts
consumer rights — Consumer Rights Act alongside GDPR obligations
insurance — Professional indemnity and cyber insurance cover
quoting tips — Data protection in the quoting process
Got a question this article doesn't answer? Squotey knows building regs, pricing and trade best practice.
Ask Squotey free →This article was generated and fact-checked using AI, with corrections from the community. If you spot anything wrong, please . See our Terms of Use.