GDPR for Small Builders: What You Actually Need to Do

SiteKiln gives you plain-English information, not legal or data protection advice. If you've had a data breach or a formal ICO complaint, get specialist advice.

‍‌​​​​​‌​‌‌​​‌‌‌‌​​​‌‌‌​‌‌​‌​‌​​​‍# GDPR For Small Builders, What You Actually Need to Do

You're already doing "data protection" whether you like it or not. Names in your phone, photos of jobs, quotes in your email, that all puts you under GDPR and the ICO.

1. You're a data controller (even as a one-man band)

If you:

• Take names, addresses, and phone numbers for quotes and invoices
• Store emails, texts, or WhatsApps from customers
• Keep photos of their home or the work you've done
• Hold bank details for payments

Then you're a data controller for that personal data under UK GDPR and the Data Protection Act 2018.

It doesn't matter that you're "just a sole trader." The rules still apply. You are the person responsible for how that data is collected, used, stored, and eventually deleted.

2. ICO registration and the £40 data protection fee

Most self-employed tradespeople and small firms processing personal data must pay the ICO data protection fee. Exemptions are narrow, if you hold customer names, addresses, and contact details (which every tradesperson does), you almost certainly need to register.

Fee tiers (2025/26)

For a typical sole trader, small firm, or partnership in construction, you're Tier 1 at £40/year.

If you don't pay

The ICO can issue a fixed penalty notice and escalate to a maximum fine of £4,350 for non-payment of the fee.

They actively enforce this. The ICO issues thousands of penalty notices per year to businesses that should be registered and aren't. It's one of the easiest things they prosecute because there's no grey area, you either paid or you didn't.

£40/year to be legal, or up to £4,350 in fines for not bothering. That's not a difficult decision.

How to register

Go to ico.org.uk/for-organisations/data-protection-fee/ · there's a quick "Do I need to pay?" checker and an online registration form. Takes about 10 minutes. You can pay by card or Direct Debit.

3. What counts as "personal data" for a tradesperson

Personal data is anything that can identify a living person, directly or indirectly.

For a builder, that means:

The test: if you could identify who the person is from the data (or from the data combined with other information you hold), it's personal data. For most tradesperson records, quotes, invoices, job notes, photos, the answer is yes.

4. What you actually need to do in practice

For a small trade business, GDPR doesn't mean a 40-page policy. The ICO explicitly says sole traders and micro-businesses just need to demonstrate they handle data fairly and sensibly.

Your practical to-do list

1. Have a simple privacy notice

One page, on your website if you have one, or included in your terms and conditions. It should say:

• What data you collect · names, addresses, phone numbers, job photos, payment details
• Why · to provide quotes, carry out work, issue invoices, manage warranties, comply with tax records
• Who you share it with · your accountant, any subcontractors working on the job, software providers (bookkeeping, email). Not random third parties.
• How long you keep it · at least 5 years for HMRC, then deleted unless there's a live warranty or ongoing relationship
• How people can contact you about their data · your email address or phone number

You don't need a solicitor to write this. Keep it in plain English. A template is in our Document Hub.

2. Don't share customer details without a reason

• Don't pass phone numbers to other trades unless the customer agrees
• Don't post job photos on social media where the address, house number, or owner is identifiable without permission · this is the GDPR issue most tradespeople don't think about
• If a customer asks you not to share their address with a subcontractor, respect that (you can usually work around it)

3. Store data securely

• Lock your phone and laptop with a passcode, fingerprint, or face ID
• Use reputable email and accounting apps with strong passwords and 2FA where possible
• Don't leave paper job sheets with full customer details lying in the van where anyone can see them
• If you use a shared computer or tablet, make sure your business data isn't accessible to others

You don't need military-grade encryption. You need the basics: a locked phone, a decent password, and common sense.

4. Delete data when you don't need it

Once you're past the HMRC 5-year record-keeping window and any warranty period, delete or anonymise old customer contact details. Don't hoard data forever "just in case."

The exception: if you have an ongoing relationship (regular customer) or a live structural warranty, keeping their details is justified.

ICO self-assessment

The ICO has a plain-English self-assessment checklist for sole traders at:

ico.org.uk/for-organisations/advice-for-small-organisations/

It's genuinely useful and written for real small businesses, not corporations.

5. How long to keep records, HMRC vs GDPR

Two sets of rules overlap here.

HMRC says: keep self-employed business records for at least 5 years after the 31 January filing deadline for that tax year.

This covers invoices, receipts, bank statements, CIS statements, mileage logs, all of which contain personal data.

GDPR says: don't keep personal data longer than necessary.

The sensible compromise:

• Keep job and customer records for at least 5 years to satisfy HMRC and cover any warranty/defects period (Limitation Act gives customers up to 6 years to bring a workmanship claim · see our guarantee and warranty guide)
• After 6 years, delete or anonymise old customer contact details unless there's a specific reason to keep them (e.g., a long-term structural warranty, an ongoing customer relationship, or an active dispute)
• Be consistent · and say in your privacy notice what your typical retention period is

6. When someone asks for their data or wants it deleted

Customers have rights under UK GDPR. The two you're most likely to encounter:

Subject Access Request (SAR)

If a customer says "What data do you hold on me?", that's a Subject Access Request.

Your obligations:

• You have one calendar month to respond (extendable by 2 months if the request is complex)
• You cannot charge a fee in normal circumstances
• You must provide a copy of the personal data you hold and explain what you use it for

What to do:

1. Pull together the data you hold · job details, quotes, invoices, emails, photos, messages that relate to them
2. Send them a copy with a short explanation: "We hold this information to provide quotes, carry out work, manage warranties, and comply with HMRC tax record-keeping requirements."
3. Redact any third-party personal data (e.g., your subcontractor's phone number in the same email chain)

Right to erasure ("right to be forgotten")

If a customer says "Delete everything you hold on me", the right to erasure applies, but it's not absolute.

You can refuse to delete data where:

• You need it to comply with a legal obligation · e.g., HMRC requires you to keep tax records for 5 years
• You need it for establishing, exercising, or defending legal claims · e.g., an ongoing dispute about the work
• You have another lawful basis for keeping it

Practical response:

"We've deleted your details from our marketing lists and any data we no longer need. However, we're legally required to keep invoices and job records until [date] for HMRC tax purposes. After that date, we'll delete the remaining data. If you'd like to discuss this further, please contact us."

If you refuse erasure entirely, you must tell them:

• Why
• That they can complain to the ICO
• That they can take the matter to court

For most small jobs, being polite, clear, and reasonable is enough to handle these requests without drama.

7. Social media and job photos, the bit most trades get wrong

This is where GDPR and tradespeople most commonly collide.

Posting job photos on Instagram, Facebook, or your website:

• Photos showing the front of a house with the door number visible, or a street name sign, or a car with a readable registration plate: all linked to a customer, are personal data
• Posting them without the customer's consent is technically a GDPR issue
• A customer who didn't agree to their home being shown on your social media could complain to the ICO

How to avoid problems:

• Ask permission before posting · most customers are happy to have their new kitchen on your Instagram, but ask first
• Crop or blur identifying details · door numbers, car registrations, street signs
• Interior photos are generally lower risk (harder to identify the property), but still ask
• Before and after shots are your best marketing tool · just get a quick "OK to use these on social media?" text from the customer

A simple text saying "Mind if I use the photos of the finished job on my Instagram?" followed by a "yeah go for it" reply is enough consent for a sole trader. You don't need a signed form.

8. Reality check

The honest picture:

The ICO isn't roaming the country looking for plasterers to fine because their phone isn't encrypted. They've got bigger targets, large companies, data breaches, systemic failures.

But they will act on:

• Non-payment of the £40 fee · this is automated and they issue thousands of penalties per year
• Complaints from customers · especially after a dispute where the customer feels their data was misused
• Data breaches · if customer details are leaked, stolen, or exposed and you didn't have basic security in place

"Good enough" for a small trade business looks like:

1. Pay the ICO fee · be on their register (£40, 10 minutes)
2. Have a simple privacy notice · on your website or in your T&Cs
3. Don't spray customer details everywhere · be sensible about what you share and post
4. Keep records for HMRC's 5-year window, then tidy up
5. Know how to recognise and respond to a data request within a month

That puts you ahead of 95% of sole traders and massively reduces your risk.

What to do next

1. Check if you're registered with the ICO · go to ico.org.uk/for-organisations/data-protection-fee/ and use the checker
2. If not registered, do it today · £40, takes 10 minutes, and removes the risk of a £4,350 fine
3. Write a simple privacy notice · one page, plain English (template in the Document Hub)
4. Lock your phone if it isn't already · passcode, fingerprint, or face ID
5. Next time you post a job photo, check: can you see the door number, car reg, or street name? Crop or blur if you can.

Sources

• UK General Data Protection Regulation (UK GDPR) · legislation.gov.uk/eur/2016/679/contents
• Data Protection Act 2018 · legislation.gov.uk/ukpga/2018/12
• Data Protection (Charges and Information) Regulations 2018 · legislation.gov.uk/uksi/2018/480
• ICO, Data Protection Fee · ico.org.uk/for-organisations/data-protection-fee
• ICO, Guide for Small Organisations · ico.org.uk/for-organisations/advice-for-small-organisations
• ICO, Right of Access (Subject Access Requests) · ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access
• ICO, Right to Erasure · ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-to-erasure

This topic is sponsored by The Online Accountant.

www.theonlineaccountant.com/?utm_source=sitekiln&utm_medium=sponsor&utm_campaign=business-section →

SiteKiln's editorial team writes every guide independently. Sponsors do not review, edit or sign off on content. See our editorial standards.

Spotted something wrong or out of date? Email us at hello@kilnguides.co.uk.

In crisis? Samaritans 116 123 · Mental health support