GDPR for Sole Traders: What You Need to Do

If you think the General Data Protection Regulation (GDPR) is only for big corporations with entire departments dedicated to compliance, think again. As a sole trader, GDPR applies to you the moment you collect, store, or process personal data — and that includes something as simple as keeping a spreadsheet of client email addresses. The good news? Compliance is far less daunting than it sounds, and getting it right protects both you and your clients.

In this guide, I'll walk you through exactly what GDPR means for sole traders, the practical steps you need to take, and how to avoid the most common mistakes.

What Is GDPR and Why Does It Apply to You?

GDPR is the UK's primary data protection framework, retained in domestic law as the UK GDPR after Brexit. It governs how personal data is collected, used, stored, and shared. Personal data is any information that can identify a living individual — names, email addresses, phone numbers, IP addresses, bank details, and much more.

As a sole trader, you almost certainly handle personal data. If you send invoices to clients, you have their names and addresses. If you use email marketing, you hold subscriber details. If you run a website with a contact form, you're collecting data the moment someone hits "submit."

The Information Commissioner's Office (ICO) is the UK's data protection authority, and they can and do investigate small businesses. Fines can reach up to £17.5 million or 4% of annual global turnover (whichever is higher), though in practice, sole traders are more likely to receive enforcement notices or smaller penalties. Still, the reputational damage alone makes compliance essential.

Understanding your obligations under GDPR is part of running a legitimate business. It sits alongside other essentials like understanding your tax deductions and getting the right insurance.

The Six Lawful Bases for Processing Data

Under GDPR, you must have a lawful basis for processing personal data. There are six, but as a sole trader, three are most relevant:

1. Contract. You need to process someone's data to fulfil a contract with them. For instance, you need a client's address to send them goods they've purchased, or their bank details to set up a direct debit for your services.

2. Legitimate interests. You have a genuine business reason to process data, and it doesn't override the individual's rights. For example, you might keep records of past clients to follow up on repeat business, or use a client's email to send them an invoice reminder.

3. Consent. The individual has given you clear, affirmative consent to process their data for a specific purpose. This is most commonly used for marketing emails. Consent must be freely given, specific, informed, and unambiguous — a pre-ticked box does not count.

You should document which lawful basis applies to each type of data you process. This doesn't need to be complicated — a simple table listing the data type, purpose, and lawful basis will suffice.

Practical Steps to Comply with GDPR

Create a Privacy Notice

Every sole trader who processes personal data should have a privacy notice (sometimes called a privacy policy). This document tells people what data you collect, why you collect it, how long you keep it, and who you share it with. If you have a website, your privacy notice should be easily accessible — usually linked in the footer.

Your privacy notice should include:

• Your name and contact details
• What personal data you collect
• Why you collect it (and the lawful basis)
• Who you share it with (e.g., your accountant, HMRC, email marketing platform)
• How long you keep it
• The individual's rights (access, rectification, erasure, etc.)
• How to complain to the ICO

The ICO provides a helpful resource for small organisations that includes template privacy notices and a self-assessment tool.

Keep Records of What You Hold

You need to know what personal data you hold, where it is, and why you have it. This is often called a data audit or data mapping exercise. Go through every tool, platform, and filing cabinet you use and list:

• The categories of personal data (names, emails, financial details, etc.)
• Where it's stored (laptop, cloud service, paper files)
• How it got there (client provided it, collected via website, etc.)
• How long you've held it
• Whether you share it with anyone

This exercise often reveals data you'd forgotten about — old client lists in a drawer, an abandoned email marketing account with hundreds of contacts, or a spreadsheet on a shared drive. Identifying these is the first step to cleaning up your data practices.

Implement Proper Security Measures

GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data. For a sole trader, this means:

• Password-protect your devices. Use strong, unique passwords for your laptop, phone, and any accounts containing personal data. A password manager helps enormously.
• Encrypt sensitive data. Enable full-disk encryption on your laptop (FileVault on Mac, BitLocker on Windows). Encrypt USB drives if you use them.
• Keep software updated. Security patches fix vulnerabilities that hackers exploit. Set your devices to update automatically.
• Use two-factor authentication (2FA). Enable it on your email, cloud storage, accounting software, and any platform holding personal data.
• Be careful with email. Don't send sensitive data in unencrypted emails. If you must share financial information, use a secure portal or encrypted attachment.
• Back up your data. Regular backups protect against data loss. Use an encrypted cloud backup service or a secure external drive.

If you're working from home, these measures are especially important. Your home network is your business network, so secure your Wi-Fi with a strong password and keep your router firmware updated.

Set Retention Periods

You must not keep personal data longer than necessary. This means setting retention periods for different types of data. HMRC requires you to keep financial records for at least five years after the 31 January submission deadline, so client invoices and payment records should be kept for at least that long. But old enquiry emails or marketing lists for campaigns that ended years ago? Those should be securely deleted.

Create a simple retention schedule and review it annually. When data reaches the end of its retention period, delete it securely — shred paper records and permanently delete digital files (not just move them to the recycle bin).

Do You Need to Register with the ICO?

Most sole traders who process personal data need to pay the ICO's data protection fee. The fee is tiered based on your size and turnover. For most sole traders, this falls into Tier 1, which costs £40 per year (or £35 if you pay by direct debit). You can check whether you need to register using the ICO's self-assessment tool on their website.

There are some exemptions — for example, if you only process personal data for core business administration (like staff records or accounts and records) and meet certain conditions. However, the exemptions are narrow, and it's often easier and safer to simply pay the fee. For a detailed walkthrough of the ICO registration process, see our ICO registration guide.

Failure to pay when required is a criminal offence, and the ICO does issue fines for non-payment. At £35-40 per year, it's one of the cheapest compliance costs you'll face.

Handling Data Subject Requests

Under GDPR, individuals have several rights regarding their personal data. The most common ones you'll encounter as a sole trader are:

Right of access (Subject Access Request). A client can ask you what personal data you hold about them. You must respond within one month and provide a copy of their data free of charge.

Right to rectification. If someone tells you the data you hold about them is inaccurate, you must correct it without undue delay.

Right to erasure ("right to be forgotten"). A client can ask you to delete their data. However, this isn't absolute — you can refuse if you need the data for legal obligations (like tax records) or to exercise or defend legal claims.

Right to object to direct marketing. If someone tells you to stop marketing to them, you must stop immediately. No exceptions, no delay.

To handle these requests efficiently, make sure your data is well-organised and you know where everything is. This is another reason the data audit mentioned earlier is so valuable.

Common GDPR Mistakes Sole Traders Make

Assuming GDPR doesn't apply to them. It does, unless you genuinely process no personal data at all, which is virtually impossible if you have clients.

Using a personal email for business. Mixing personal and business communications makes it much harder to respond to data subject requests and keep business data secure. Use a separate business email account.

Not having a privacy notice. Even if your business is tiny, if you collect personal data, you need one. This is especially true if you have a website.

Buying email lists. Under GDPR, you need consent to send marketing emails (with limited exceptions for existing customers). Buying a list of contacts who haven't opted in is a clear breach and can result in complaints to the ICO.

Ignoring data breaches. If personal data is lost, stolen, or accessed by someone who shouldn't have it, that's a data breach. Under GDPR, you must assess whether it poses a risk to individuals. If it does, you must report it to the ICO within 72 hours. Keeping your head in the sand is not an option.

GDPR and Your Business Tools

Every tool and platform you use that touches personal data is part of your GDPR compliance picture. Your accounting software, email marketing platform, CRM, cloud storage, and even WhatsApp all process personal data.

When choosing tools, check that they comply with GDPR. Look for a Data Processing Agreement (DPA) — a contract between you and the service provider that sets out how they'll handle data on your behalf. Reputable providers like Accounted make this easy, with GDPR-compliant data handling built in and DPAs available on request.

If you use any US-based services, check that they have appropriate safeguards in place for international data transfers. Since the UK-US Data Bridge came into effect, many US providers can lawfully receive UK personal data, but you should still verify this.

Keeping Compliant Long-Term

GDPR compliance isn't a one-off task. It's an ongoing commitment that should be part of how you run your business. Here are some habits that will keep you on track:

• Review your privacy notice annually (or whenever your data practices change)
• Conduct a data audit every year to identify and clean up unnecessary data
• Stay informed about changes to data protection law and ICO guidance
• Train yourself — the ICO offers free online resources for small businesses
• Use tools that help you comply, like accounting software with built-in data protection features

As part of your broader approach to running a compliant business, GDPR sits alongside your tax obligations as something that needs regular attention but doesn't have to be burdensome.

Getting Started Today

If you haven't yet addressed GDPR in your business, start today. Begin with a data audit, draft your privacy notice, check whether you need to register with the ICO, and review the security measures on your devices and accounts. You can explore our features to see how Accounted helps you manage client data securely and compliantly.

The whole process can be done in an afternoon, and once the foundations are in place, maintaining compliance takes very little ongoing effort. Your clients will appreciate knowing their data is in safe hands, and you'll have one less thing to worry about when the ICO comes calling.