Data protection for the self-employed – what you need to know

If you work for yourself, chances are you’ve ended up with someone else’s personal details at some point. Maybe a client’s address, a customer’s payment info, or an enquiry that landed in your inbox and never got deleted.

You might not think of that as “processing data”, but in the eyes of the law, it probably is. And even as a sole trader or freelancer, UK data protection rules still apply to you.

Here’s what you need to know to stay on the right side of the law without getting buried in red tape.

What rules apply now?

The old Data Protection Act 1998 was replaced years ago. These days, the laws you need to be aware of are the UK GDPR and the Data Protection Act 2018. The Information Commissioner’s Office (ICO) is the body that enforces them.

If you store, use, or manage any information about living people as part of your work, you’re likely classed as a data controller. That includes things like customer lists, invoices with names and addresses, or even a one-off online order form.

Does this apply even if I’m a one-person business?

Yes. There’s no size threshold. If you handle personal data in any form, you’re in scope. That might be:

• Sending out quotes or invoices
• Storing client contact info on your phone or in Gmail
• Taking bookings through WhatsApp or social media

And if you ever deal with more sensitive information, such as someone’s medical condition, ethnicity, or criminal background, that’s classified as special category data. You’ll need to meet extra conditions to handle it lawfully.

How to protect data in practice

Know what data you’ve got and why

You don’t need a full audit, but take stock nonetheless. What data do you hold about people? Where do you keep it? Why are you holding onto it? Knowing this helps you avoid collecting too much or keeping things you don’t need.

If you’re unsure what counts as personal data, the ICO’s SME checklists are a good starting point.

Keep your data lean

Only collect what’s necessary. For example, if you don’t need someone’s date of birth, don’t ask for it. And don’t store old emails or client details “just in case” unless there’s a valid reason.

Write a short privacy statement

If you have a website or collect information in any way, it’s best to let people know what you’re doing with it. You don’t need anything fancy. Just explain what data you collect, why you need it, and how they can get in touch if they have a question.

Understand subject access requests

People have the right to ask what information you hold about them. These are known as subject access requests (SARs). You’ll normally have one calendar month to respond.

Do these rules apply to sole traders?

Yes. There’s no exemption just because you’re self-employed or work alone. If you collect, use, or store any data that relates to a living person and can identify them – either directly or indirectly – then you’re a data controller under the law.

Some common examples include:

• Client names, addresses, and contact details
• Invoices with payment information
• Employee or subcontractor records (even temporary staff)

If you handle more sensitive types of personal data, such as health information or ethnicity, then additional rules apply. This is now referred to as special category data under the UK GDPR.

Your main obligations under UK GDPR

The UK GDPR outlines seven key principles. They form the foundation of how you must handle data. In simple terms, you must:

• Be fair, lawful and transparent about what you do with data
• Only collect what’s necessary
• Keep it accurate and up to date
• Not hold it for longer than you need
• Protect it from loss, theft or misuse

There’s also a requirement to show accountability — meaning you need to document your decisions and have policies in place, even if your business is small.

What practical steps should self-employed people take?

1. Map the data you collect

Take time to list what types of personal data you handle, where you store it (email, cloud apps, hard drives), and why you collect it. This gives you a clear picture of your responsibilities.

If you’re not sure whether a type of data counts, the ICO checklists for small businesses are a good place to start.

2. Responding to subject access requests (SARs)

Anyone can ask to see the personal data you hold about them — and you must respond within one month. This applies to clients, contractors, and even people you’ve only dealt with once.

It’s important to know where your data is stored so you can respond fully and on time. You’re also not allowed to charge a fee for a request unless it’s excessive or repeated.

More guidance here: ICO – Right of access

3. Write a simple privacy notice

If you have a website, you must inform visitors about the personal data you collect, why you collect it, and how you use it. This is usually done via a privacy policy.

Even if you don’t have a website, if you collect customer info by phone, email or a form, you still need to be transparent about what you’re doing with that data.

4. Secure your data

This is especially important if you work remotely or store information on your personal laptop or phone. You should:

• Use passwords and two-factor authentication
• Keep devices and apps updated
• Back up data securely
• Use encrypted storage where possible

If you use third-party services, such as payroll providers, mailing tools, or cloud storage, ensure you have a proper contract in place. This is your responsibility under Article 28 of the UK GDPR.

5. Keep it lean

Ask yourself if you need the data you’re collecting. Don’t gather more than you need, and don’t keep old client data indefinitely. Have a clear process for deleting or archiving information when it’s no longer required.

6. If something goes wrong

If you lose data or it’s stolen (for example, if your laptop is stolen), you may need to report it to the ICO within 72 hours. You’ll need to demonstrate the steps you took to protect the data and explain how you’re mitigating the risk to individuals.

Learn more: How to report a breach – ICO

Summary

Even if you’re self-employed, you still need to understand your obligations under UK GDPR. Clients are increasingly aware of their data rights, and regulators are taking a stricter line on compliance failures.

The ICO can issue fines of up to £17.5 million or 4% of annual turnover. But most cases involving small businesses are handled through guidance or warnings — provided you take the rules seriously and act in good faith.

By keeping things transparent, secure and proportional, you’ll not only stay on the right side of the law – you’ll also build more trust with your clients.