Data Protection When Handling Client Information

Every business that handles client information has data protection obligations under UK law. Whether you're a freelance consultant with a client list on a spreadsheet or a tradesperson with customer addresses in your phone, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to you. Failing to comply can result in enforcement action from the Information Commissioner's Office (ICO), damage to your reputation, and in serious cases, substantial fines.

I'm Penny, your AI bookkeeper at Accounted, and while data protection law is ultimately a matter for legal specialists, understanding your basic obligations is essential for every business owner. This guide covers what you need to know.

Your Data Protection Obligations

The UK GDPR sets out seven key principles that govern how you must handle personal data. Personal data is any information that can identify a living individual — names, addresses, email addresses, phone numbers, bank details, and much more.

Lawfulness, fairness, and transparency. You must have a lawful basis for processing personal data, and you must be open with people about how you use their data. The most common lawful bases for small businesses are consent (the individual has agreed), contract (you need the data to fulfil a contract with them), and legitimate interests (you have a genuine business reason that doesn't override their rights).

Purpose limitation. You must only use personal data for the specific purpose you collected it for. If you collected a client's address to deliver a service, you can't then use it to send them marketing emails without a separate lawful basis.

Data minimisation. Only collect the personal data you actually need. Don't ask for information "just in case" — if you don't need someone's date of birth to provide your service, don't collect it.

Accuracy. Keep personal data accurate and up to date. If a client tells you their address has changed, update your records.

Storage limitation. Don't keep personal data for longer than you need it. Once a client relationship has ended and you've met any legal record-keeping requirements, you should delete or anonymise the data.

Integrity and confidentiality. You must keep personal data secure against unauthorised access, accidental loss, or damage. This means both physical security (locked filing cabinets, secure premises) and digital security (passwords, encryption, access controls).

Accountability. You must be able to demonstrate your compliance with these principles. This means having records of what data you process, why, and how you protect it.

The ICO provides comprehensive guidance for small businesses on their data protection overview page, which is an essential starting point.

Practical Steps for Small Businesses

Complying with data protection law doesn't have to be complicated. Here are the practical steps every small business should take.

Create a data inventory. List all the personal data you hold, where it's stored, why you have it, and who has access to it. This might include client contact details in your phone, email correspondence, invoices and payment records, appointment schedules, and notes from client conversations. This inventory is the foundation of your compliance — you can't protect data you don't know you have.

Write a privacy notice. A privacy notice tells your clients what data you collect, why, how you use it, how long you keep it, and their rights. It doesn't need to be lengthy or written in legal jargon — clear, plain English is actually what the law requires. You should provide this to clients when you first collect their data, and make it available on your website if you have one.

Secure your data. For digital data, use strong passwords on all devices and accounts, enable two-factor authentication where available, keep software and operating systems updated, use encryption for sensitive data (most modern phones and laptops offer built-in encryption), and be cautious about using public Wi-Fi for accessing client data. For paper records, keep them in locked filing cabinets, restrict access to those who need it, and shred documents before disposal rather than putting them in the bin.

Train yourself and any staff. Data protection isn't just about having the right policies — it's about consistently following them. If you have employees, make sure they understand the basics: don't leave client data visible on screens when stepping away, don't discuss client details in public places, and report any potential data breaches immediately.

For more on securing your business data generally, our guide on backing up your business data covers related ground.

ICO Registration

Most businesses that process personal data must register with the Information Commissioner's Office (ICO) and pay an annual data protection fee. The fee depends on your turnover and number of employees: micro organisations (up to ten employees and turnover under £632,000) pay £40 per year, small and medium organisations pay £60, and large organisations pay £2,900.

There are some exemptions — for example, if you only process personal data for staff administration, accounts and records, or advertising, marketing, and public relations for your own business, you may be exempt from the fee. However, most businesses that hold client data will need to register.

You can check whether you need to register and pay the fee using the ICO's self-assessment tool on their website. Failing to pay the fee when you should is itself a breach of data protection law and can result in a fine.

The government provides a direct link to ICO registration and explains the requirements on their data protection registration page.

Handling Data Breaches

A data breach is any incident where personal data is accessed, disclosed, altered, or destroyed without authorisation. This includes obvious incidents like a laptop being stolen or a hacking attack, but also less obvious ones like sending an email to the wrong person, losing a USB drive containing client data, or leaving paper files in an unsecured location.

If a data breach occurs, you must assess the risk to the individuals affected. If there's a risk to their rights and freedoms (for example, their financial data or identity could be misused), you must report the breach to the ICO within 72 hours. If the risk is high, you must also notify the affected individuals directly.

Even if a breach doesn't need to be reported, you should record it internally, noting what happened, what data was affected, what you did to contain it, and what steps you're taking to prevent a recurrence.

Common Data Protection Mistakes

Here are the mistakes I see most frequently among small businesses and self-employed individuals.

Using personal messaging apps for client data. If you communicate with clients via WhatsApp, Facebook Messenger, or similar platforms, client data is being processed by those platforms' servers, which may be located outside the UK. This isn't necessarily a breach, but you need to be aware of it and ensure appropriate safeguards are in place.

Not deleting old data. Many businesses keep client data indefinitely "just in case." Under the storage limitation principle, you should only keep data as long as you have a legitimate reason to do so. For financial records, HMRC requires you to keep records for at least five years after the filing deadline, but other client data may not need to be kept as long.

Inadequate password practices. Using the same password for multiple accounts, using weak passwords, or sharing passwords with others all create security risks. Use a password manager to generate and store strong, unique passwords for every account.

Ignoring subject access requests. Individuals have the right to request a copy of all personal data you hold about them. You must respond within one month. Ignoring such requests is a breach of the UK GDPR and can lead to ICO enforcement action.

Data Protection and Your Bookkeeping

Your bookkeeping records contain personal data — client names, addresses, payment details, and transaction histories. This means your bookkeeping system is subject to data protection requirements.

When choosing bookkeeping software, check that it uses encryption for data in transit and at rest, stores data in the UK or in countries with adequate data protection laws, has access controls so only authorised users can see the data, and provides data export and deletion capabilities so you can comply with subject access requests and deletion requests.

Accounted takes data protection seriously. Your data is encrypted, stored securely, and accessible only to you. For more on our approach to security, see our security guide. If you want a bookkeeping solution that handles your data responsibly while making your financial record-keeping effortless, explore our pricing and get started today.