UK GDPR for Trade Contractors: What You Must Know About Client Data

Most UK trade contractors think of GDPR as something that large companies worry about. In reality, UK GDPR — the version of GDPR that was retained in UK domestic law after Brexit — applies to any person or organisation that processes personal data in connection with their business activities, regardless of their size. A sole-trade plumber who stores clients' names, addresses, and phone numbers in a contacts app is processing personal data. An electrician who holds a folder of invoices containing client details is processing personal data. Understanding the basics of the obligations that flow from this is increasingly important as the Information Commissioner's Office focuses more attention on SME compliance.

UK GDPR Post-Brexit

When the United Kingdom left the European Union, the EU's General Data Protection Regulation — which had applied in the UK since May 2018 — was incorporated into UK domestic law as the UK GDPR by the European Union (Withdrawal) Act 2018. The UK GDPR sits alongside the Data Protection Act 2018, which provides the domestic legislative framework and gives the ICO its enforcement powers. The substantive provisions of UK GDPR are largely identical to those of EU GDPR, though the UK government retains the ability to amend the UK GDPR through secondary legislation and has done so in some areas. For practical purposes, a contractor who was compliant with EU GDPR before Brexit remains compliant with UK GDPR, and the key obligations — lawful basis for processing, data subject rights, breach notification, and privacy notices — are the same.

ICO Registration

Any organisation that processes personal data for purposes beyond pure household or family activity is generally required to pay the ICO's data protection fee and be registered on the ICO's public register of data controllers. The fee is tiered: micro-organisations with a turnover of less than £632,000 and fewer than ten staff pay £40 per year; small and medium organisations pay £60; and large organisations pay £2,900. Most sole-trade and small-business contractors fall into the £40 tier. There is an exemption from the fee (though not from UK GDPR's substantive obligations) for certain processing activities, including processing carried out purely for not-for-profit purposes and certain categories of processing by public authorities. For commercial trade contractors — that is, virtually all tradespeople who process client data to deliver services and get paid — registration is likely to be required, and the ICO has the power to issue fines for failure to register.

Lawful Basis for Processing Client Data

UK GDPR requires that every processing activity has a lawful basis. For trade contractors, the most relevant lawful bases are contract — processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract — and legitimate interests, where the contractor has a legitimate business reason for the processing that is proportionate to the data subject's interests. Invoicing a client, sending quote documents, and storing contract records are all processing activities justified under the contract lawful basis. Sending marketing emails to past clients requires either their consent or a careful analysis of whether legitimate interests applies, taking into account the right to object to direct marketing. The practical takeaway for most contractors is that routine client data — names, addresses, contact details, job history — is processed lawfully under the contract basis, and the most important obligation is to be transparent about how it is used.

HMRC's Seven-Year Record-Keeping Requirement

HMRC requires businesses to retain financial records — including invoices, receipts, and accounts — for at least six years from the end of the accounting period to which they relate, and in many cases seven years. For VAT-registered businesses the requirement under VAT regulations is six years, while the general HMRC requirement for self-employed income records is at least five years after the 31 January submission deadline for the relevant tax year, which in practice often means six or seven years of retention from the transaction date. This HMRC requirement creates a straightforward legal basis under UK GDPR for retaining invoices that contain personal data — client names and addresses on invoices — for the minimum HMRC period. After that period has expired, the UK GDPR principle of storage limitation requires that data be reviewed and deleted or anonymised unless there is another reason to retain it. For residential construction work, the extended liability periods under the Building Safety Act mean that project records should be retained for fifteen years, which is a legitimate basis for retaining the personal data within those records for the same period.

Data Security and Breach Notification

UK GDPR requires that personal data be processed with appropriate security, including protection against unauthorised access, loss, or destruction. For a trade contractor using a cloud-based quoting and invoicing platform, the security of client data is largely in the hands of the platform provider, and the contractor should satisfy themselves that the platform they use has appropriate security measures in place — encryption in transit and at rest, access controls, and regular backups. If personal data is lost or accessed without authorisation — for example, if a laptop containing client records is stolen — the contractor must consider whether the breach needs to be reported to the ICO. Breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within seventy-two hours of becoming aware of the breach, and breaches that are likely to result in a high risk to individuals must also be communicated to the affected individuals.

Privacy Notices and Client Communication

UK GDPR requires that individuals whose personal data is collected be informed of how it will be used, how long it will be retained, and what rights they have in relation to their data. For trade contractors, the simplest way to comply is to maintain a short privacy notice on your website or in your standard terms and conditions that explains these points. The privacy notice should identify the data controller (your business), the lawful basis for processing, the purposes of processing, how long records are kept, and the contact details for the ICO in case the individual wishes to make a complaint. For most contractors, a one-page privacy notice incorporated into standard quote terms is sufficient. Clients have the right to ask what data you hold about them (a subject access request), to have inaccurate data corrected, and in some circumstances to have their data deleted — though the deletion right does not apply where the data must be retained for compliance with a legal obligation.

How QuotCraft Handles Client Data Securely

QuotCraft is designed with UK GDPR compliance in mind. All data held in the platform — client records, invoices, quotes, and project documents — is stored on UK-based servers with encryption at rest and in transit. Access to your account is protected by two-factor authentication, and QuotCraft's access logs allow you to see who has accessed your account and when. The platform's data retention settings allow you to configure automatic archiving of records after the standard retention period, making it easier to meet the storage limitation principle without manual data audits. For contractors who need to respond to a subject access request, QuotCraft's client data export function produces a complete record of all data held for a specific client in a portable format. QuotCraft's data processing agreement, available in your account settings, sets out the company's obligations as a data processor on your behalf, supporting your own compliance documentation.