GDPR for Sole Traders — What You Actually Need to Do
If you're a sole trader, there's a decent chance you've heard about GDPR, nodded along, and then quietly hoped it didn't apply to you. After all, it's the sort of thing big corporations worry about — not someone running a one-person photography business or freelance copywriting outfit. Right?
Unfortunately, no. The UK General Data Protection Regulation (UK GDPR), together with the Data Protection Act 2018, applies to virtually every business that handles personal data — and that includes sole traders. The good news is that compliance doesn't have to be complicated. You don't need a legal team or a dedicated data protection officer in most cases. You just need to understand the basics and put sensible practices in place.
Let's walk through what you actually need to do.
What Is GDPR and Why Does It Apply to You?
GDPR — the General Data Protection Regulation — was originally an EU regulation that came into effect in May 2018. After Brexit, the UK adopted its own version, known as UK GDPR, which works alongside the Data Protection Act 2018. Together, these laws govern how organisations collect, store, use, and share personal data.
Personal data is any information that can identify a living individual. That includes obvious things like names, email addresses, and phone numbers, but also less obvious data such as IP addresses, location data, and even cookie identifiers.
If you collect any of this information — whether through a contact form on your website, an email mailing list, client invoices, or even a simple spreadsheet of customer names — you're processing personal data, and UK GDPR applies to you.
Does the Size of My Business Matter?
Not really. UK GDPR doesn't have a small business exemption. Whether you're a multinational corporation or a sole trader working from your kitchen table, the same principles apply. The scale of what you need to do will differ — a sole trader with 50 clients doesn't need the same infrastructure as a company with 50,000 customers — but the legal obligations are fundamentally the same.
The Information Commissioner's Office (ICO), which is the UK's data protection regulator, does recognise that smaller organisations pose less risk and tends to take a proportionate approach to enforcement. But that doesn't mean you can ignore the rules entirely.
The Key Principles You Need to Follow
UK GDPR is built around seven key principles. You don't need to memorise them word for word, but understanding the spirit behind each one will help you stay on the right side of the law.
Lawfulness, Fairness, and Transparency
You must have a valid legal reason (called a "lawful basis") for processing personal data, and you need to be upfront with people about what you're doing with their information. For most sole traders, the two most relevant lawful bases are:
- Contractual necessity — you need someone's data to fulfil a contract (for example, you need a client's address to deliver goods).
- Legitimate interests — you have a genuine business reason for processing the data, and it doesn't override the individual's rights (for example, keeping a record of past clients for your accounts).
Consent is another lawful basis, but it comes with stricter requirements. If you rely on consent, you need to make it freely given, specific, informed, and easy to withdraw.
Data Minimisation
Only collect the data you actually need. If you're a graphic designer, you probably need your client's name, email, and billing address. You probably don't need their date of birth or national insurance number. Keep it relevant.
Storage Limitation
Don't keep personal data forever. Once you no longer need it, delete it or anonymise it. For financial records, HMRC requires you to keep records for at least five years, so there's a legitimate reason to hold onto invoicing data for that period. But that old mailing list from a project you ran three years ago? It might be time for a clear-out.
Accuracy and Security
Keep personal data accurate and up to date, and protect it with appropriate security measures. For a sole trader, that means things like using strong passwords, keeping software updated, encrypting sensitive files, and not leaving client details lying around in unsecured spreadsheets.
Practical Steps for Sole Traders
Right, let's get into the specifics of what you actually need to do. This isn't an exhaustive legal guide, but it covers the essentials for most sole traders.
1. Register with the ICO (If Required)
Most organisations that process personal data need to register with the ICO and pay an annual data protection fee. For most sole traders and micro organisations, this falls into Tier 1, which costs £40 per year (or £35 if you pay by direct debit).
There are some exemptions — for example, if you only process personal data for core business purposes like staff administration or accounts and records, and you have no more than a handful of staff. But the exemptions are narrow, and the fee is modest, so it's often simpler just to register. You can check whether you need to register using the ICO's self-assessment tool on their website.
2. Write a Privacy Policy
If you have a website, you almost certainly need a privacy policy. Even if you don't have a website, it's good practice to have a document that explains what personal data you collect, why you collect it, and what you do with it. We've written a detailed guide on this — have a read of Do I Need a Privacy Policy for My Business Website? for the full breakdown.
Your privacy policy should cover:
- Who you are and how to contact you
- What data you collect and why
- Your lawful basis for processing
- Who you share data with (including any third-party services you use)
- How long you keep data
- People's rights regarding their data
- How to make a complaint to the ICO
3. Get Your Consent Mechanisms Right
If you're collecting email addresses for a newsletter or marketing purposes, you need proper consent. That means:
- No pre-ticked boxes
- Clear explanation of what people are signing up for
- Easy opt-out (an unsubscribe link in every email)
- Records of when and how consent was given
If you're using a service like Mailchimp or ConvertKit, most of these features are built in. Just make sure you're actually using them properly.
4. Secure Your Data
You don't need enterprise-grade cybersecurity, but you do need to take reasonable steps. For a sole trader, that typically means:
- Using strong, unique passwords for each service (a password manager helps enormously)
- Enabling two-factor authentication wherever possible
- Keeping your devices and software up to date
- Being cautious about using messaging apps for client communication
- Encrypting sensitive files and backing up important data
- Not storing client data on unsecured USB drives or in unprotected cloud folders
5. Know How to Handle a Data Subject Access Request
Under UK GDPR, individuals have the right to request a copy of any personal data you hold about them. This is called a Subject Access Request (SAR). You have one calendar month to respond.
For a sole trader, this is usually straightforward. If a client asks what data you hold about them, you pull together their contact details, any invoices, communications, and notes, and send it to them. The key thing is to respond promptly and thoroughly.
6. Have a Plan for Data Breaches
If personal data is accidentally or unlawfully destroyed, lost, altered, or disclosed, that's a data breach. Under UK GDPR, you must report certain types of breaches to the ICO within 72 hours. If the breach is likely to result in a high risk to individuals, you must also notify the affected people.
For a sole trader, a data breach might look like losing an unencrypted laptop with client details on it, accidentally sending client information to the wrong person, or having your email account hacked.
Have a simple plan in place: know the ICO's reporting process, keep a record of any breaches (even minor ones), and act quickly if something goes wrong.
Common Mistakes Sole Traders Make
Let's look at some of the most frequent GDPR slip-ups we see among sole traders and freelancers.
Ignoring GDPR Entirely
The most common mistake is assuming it doesn't apply to you. It almost certainly does. Even if the ICO is unlikely to come knocking at your door tomorrow, a complaint from a disgruntled client or customer could trigger an investigation. And beyond legal risk, good data protection practices build trust with your clients.
Overcomplicating Things
On the flip side, some sole traders get so overwhelmed by GDPR that they either panic or spend thousands on unnecessary legal advice. For most small businesses, compliance is a matter of common sense, transparency, and good record-keeping. You don't need a 40-page privacy policy or a dedicated compliance team.
Using Personal Accounts for Business
Mixing personal and business email accounts, cloud storage, or messaging apps makes data protection harder. It's much easier to manage and secure client data when it's kept separate from your personal life. Tools like Accounted can help by keeping your financial data organised and secure in one place, rather than scattered across personal spreadsheets and email inboxes.
Not Keeping Records
UK GDPR requires you to be able to demonstrate compliance. That means keeping records of what data you process, why, and on what legal basis. For a sole trader, this doesn't need to be elaborate — a simple document outlining your data processing activities is usually sufficient.
What Happens If You Get It Wrong?
The ICO has the power to issue fines for GDPR breaches, and the maximum penalties are eye-watering — up to £17.5 million or 4% of annual turnover, whichever is higher. In practice, fines against sole traders are extremely rare and tend to be much smaller. The ICO generally takes a proportionate approach and is more likely to issue a warning or an enforcement notice for a first offence by a small business.
That said, the reputational damage from a data breach or a complaint can be significant, especially for a sole trader whose business relies on personal relationships and trust. Getting the basics right is simply good business practice.
GDPR Doesn't Have to Be Scary
The bottom line is this: GDPR compliance for sole traders is mostly about being sensible, transparent, and organised. Collect only the data you need, keep it secure, be honest with people about what you're doing with their information, and delete it when you no longer need it.
If you take those basic steps, you'll be well on your way to compliance — and you'll be building a more trustworthy, professional business in the process.
Accounted helps UK sole traders stay on top of their bookkeeping and tax. Start your free 30-day trial at getaccounted.co.uk
Related reading:
- Do I Need a Privacy Policy for My Business Website?
- Data Protection When Using WhatsApp for Business
- How to Register as Self-Employed with HMRC
Related Reading
Start your free trial and see how Accounted simplifies your bookkeeping.
Business & Operations Advisors
Our business advisors cover the practical side of running a UK sole trader business — from HMRC registration to managing growth. Content is written for real business owners in plain English, not accountants.
Ready to try Accounted?
Join UK sole traders who are simplifying their bookkeeping and tax.
Start your 14-day free trial