Skip to content
GDPR for Trades 2026: Customer Data, Job Photos, and the Compliance You Are Probably Ignoring featured image
Compliance & Safety

GDPR for Trades 2026: Customer Data, Job Photos, and the Compliance You Are Probably Ignoring

Practical 2026 UK GDPR guide for trades businesses. ICO fees, job photo consent, WhatsApp records, privacy notices, real enforcement examples, and a 60 minute compliance audit you can run today.

GDPR data protection ICO compliance customer data privacy small business
Ettan Bazil
Written by
Ettan Bazil
Founder & CEO (Tech / PropTech)
About Ettan Early Life and Career Ettan Bazil began his professional journey as a gas engineer and plumber, gaining hands-on experience working directly with households, landlords and property managers. His early trade background shaped his understanding of real-world operational challenges, from emergency repairs to workforce shortages and inefficiencies in the maintenance sector. In 2016, he founded Elite Heating & Plumbing, growing it into a successful business employing multiple engineers and apprentices.
Profile ·LinkedIn·Help Me Fix ·RAFT·TrainAR
7 min ago 23 min read Comments

Quick answer

If your trades business holds a single customer name, phone number, or address, UK GDPR applies to you. Most sole traders pay a £52 annual data protection fee to the ICO (£40 by Direct Debit), need a written privacy notice, written consent before posting customer property on social media, and a sensible retention policy for the WhatsApp chats, job photos, and quote PDFs sitting on your phone. The fines are theoretical for most small trades, but ICO reprimands and customer complaints are not, and the work to get compliant is a quiet weekend, not a six month project.

Table of contents

  1. Why GDPR actually applies to your trade business
  2. The £40 fee most trades quietly ignore
  3. The seven principles in plain English
  4. Customer data: what you collect and how to hold it
  5. Job photos: the part most trades get wrong
  6. WhatsApp, texts, and the records you forgot you keep
  7. The privacy notice your website needs
  8. What actually happens when it goes wrong
  9. A 60 minute compliance audit you can run today
  10. AI tools that take the admin off your plate
  11. What tradespeople are saying
  12. Recommended videos
  13. Frequently asked questions
  14. My verdict
£52
Annual ICO fee for most sole traders (£40 by Direct Debit)
£4,350
Maximum penalty for not registering with the ICO
£17.5M
Theoretical maximum GDPR fine, or 4 percent of turnover
72 hours
Deadline to report a notifiable data breach to the ICO

Why GDPR actually applies to your trade business

A tradesperson reviewing customer job records on a tablet in a small workshop
Customer records, job photos, and WhatsApp chats all count as personal data the moment they identify a real person.

I speak to a lot of trades business owners who think GDPR is a corporate problem. Big firms, marketing teams, IT departments. Not a one van plumber. That assumption is wrong, and it has been wrong since 2018.

UK GDPR applies to anyone who processes personal data in the course of business. Personal data means any information that can identify a living person. A customer name on a quote is personal data. A phone number in your contacts is personal data. A photo of someone's kitchen with their address attached is personal data. A WhatsApp thread that says "Mrs Patel at 14 Acacia Avenue, boiler isolated, will return Tuesday" is a small but live record of three pieces of personal data.

You do not need to be a tech company. You do not need a website. You do not need staff. If you take a deposit, send an invoice, or text a customer a photo of their finished bathroom, the regulator considers you a data controller, and you have a set of duties that come with that.

The good news is the duties are mostly common sense. The bad news is most trades businesses have never written any of it down, which is the bit that catches you out when a complaint lands.

What changed in 2026. The Data (Use and Access) Act 2025 brought reforms into force on 5 February 2026. The headline change for trades is a new seventh lawful basis, recognised legitimate interests, and a simpler complaint route. The core rules around consent, transparency, and security have not changed.

The £40 fee most trades quietly ignore

Before you read another word about consent forms, do this. Go and check whether you are registered with the Information Commissioner's Office. The vast majority of trades businesses I speak to have never paid the data protection fee, and a good chunk of them legally should be.

The fee is set by the Data Protection (Charges and Information) Regulations 2018. It pays for the ICO's running costs. There are three tiers. Tier 1 is £52 a year and covers most sole traders, micro businesses, and small trades firms with under ten staff and turnover under £632,000. Tier 2 is £78 for medium businesses. Tier 3 is £3,763 for large organisations, which is not you.

If you pay by Direct Debit, you knock £5 off the Tier 1 and Tier 2 fees. Most one van trades end up paying £47 a year. That is the price of a decent breakfast and a fill of red diesel.

The penalty for not paying. The ICO can fine you between £400 and £4,350 for failing to pay the data protection fee. The fine sits on top of the unpaid fee. The ICO publishes a public register of fee payers, and they actively check it against Companies House and HMRC records.

There are exemptions. If you only hold personal data on paper, in a notebook that never gets digitised, and you never use a computer or smartphone to store customer details, you may be exempt. In 2026, that is almost no trades business. The moment a customer name lands in your phone contacts or your Gmail, the exemption falls away.

Go to ico.org.uk, take the registration self assessment, and if you need to register, pay the fee. It is the cheapest piece of compliance you will ever buy, and it is the single thing the ICO is most likely to chase you for.

The seven principles in plain English

Article 5 of UK GDPR sets out seven data protection principles. They are the spine of the whole regime. If you understand these in plain English, the rest of the rules make sense.

A printed checklist on a clipboard sitting next to a tape measure and a phone on a workshop bench
The seven principles are a checklist, not a maze. Most trades already follow five of them by instinct.

Number one is lawfulness, fairness, and transparency. You need a legal reason to hold the data, you should not be sneaky about it, and people should know what you are doing with their details. For most trades work, the legal reason is "contract" because you are processing the customer's data to deliver the job they hired you to do.

Number two is purpose limitation. You collect data for a stated purpose, and you do not quietly start using it for something else. If a customer gives you their phone number so you can confirm an appointment, you cannot bolt them onto a marketing list a year later and start texting them about boiler servicing without asking.

Number three is data minimisation. Only collect what you actually need. If you do not need a customer's date of birth for the job, do not write it down. The less you hold, the less you can lose.

Number four is accuracy. Keep records up to date and correct mistakes when people point them out. If a customer changes their phone number, update it. Do not keep ghost entries forever.

Number five is storage limitation. Do not hold data for longer than you need it. HMRC requires you to keep records for six years for tax. That is your default retention period for invoices and job records. After six years, archive or delete.

Number six is integrity and confidentiality, which is the security principle. Lock your phone, set a password on your laptop, use a proper cloud account rather than emailing yourself screenshots. You do not need ISO 27001. You do need the basics.

Number seven is accountability. You can demonstrate that you do all of the above. This is the bit that almost nobody does. Accountability means having a written record, however brief, of how you handle data. Two sides of A4 is fine.

Customer data: what you collect and how to hold it

Sit down for ten minutes and write a list of every place a customer name or number lives in your business. Go through it system by system. You will be surprised how long the list gets.

The phone contacts. The text message thread. The WhatsApp chat. The email inbox. The job management software. The invoicing tool. The accountant's portal. The Google Drive folder of quote PDFs. The scribbled notebook in the van. The handful of business cards in the centre console.

That list is your data inventory, and the ICO calls it a Record of Processing Activities. You do not need a fancy template. A spreadsheet with five columns will do: what data you hold, where it lives, why you hold it, how long you keep it, and who you share it with.

The five column ROPA. Open a spreadsheet. Columns: data category (e.g. customer names), location (e.g. Jobber CRM), purpose (e.g. job delivery), retention (e.g. six years), shared with (e.g. accountant, payment processor). Fill in one row per data type. Job done in 45 minutes.

For most trades, the data categories break down into customer contact details, job site addresses, payment information, job photos and videos, employee records, supplier contact details, and marketing list members. Seven rows in a spreadsheet covers the lot.

Once you have the inventory, the security work follows naturally. Anything sitting on your personal device needs a screen lock and a strong PIN. Anything in the cloud needs two factor authentication. Anything shared with a third party needs a written agreement, which is usually just the terms of service you already accepted when you signed up. Anything older than six years that you do not have a tax reason to keep should be deleted.

Job photos: the part most trades get wrong

This is the bit that drops most trades businesses into hot water, because the rules around photos are stricter than people think and the temptation to post before and afters is real.

A tradesperson taking a photo of finished work on a phone in a customer kitchen
A job photo with a recognisable address, a face in the background, or a child's room is personal data the second you press the shutter.

A photo of your finished work is personal data when it identifies a person or a location associated with a person. A boiler on a wall is fine. A boiler on a wall with a house number visible on the front door is not. A finished bathroom is fine. A finished bathroom with a family photo on the windowsill is not. A van outside a property is fine. A van outside a property tagged with the postcode is not.

The rule is simple. If the image could be linked back to a specific household, you are processing personal data, and you need a lawful basis. For customer photos, that lawful basis is almost always consent, because the customer is not a member of the public being captured incidentally. They are the person who hired you.

Consent under GDPR has to be specific, informed, freely given, and recorded. A vague "is it alright if I take a photo for my Instagram" while you pack up the van is not enough. You need to tell them what the photo will be used for, where it will be posted, how long it will be kept, and that they can withdraw consent later.

Withdrawal is real. If a customer asks you in six months to take the photo down, you are legally required to remove it from your website, your Instagram, your Facebook, your Google Business Profile, and any printed marketing. You have to be able to find every copy. That alone is a reason to keep your photo library tidy.

The practical fix is a one paragraph photo consent box on your quote sheet. Two tick boxes. One for taking photos for your own records. One for using photos in marketing. The customer signs once, you keep the signed quote, and you have a defensible audit trail. That is it.

If you want a quick rule of thumb on the photos themselves: blur house numbers, frame out doormats with surnames, never include people's faces unless they have signed, and never post a photo with a geotag turned on. The metadata leaks more than the image.

WhatsApp, texts, and the records you forgot you keep

WhatsApp is where most trades businesses are quietly non compliant, because nobody thinks of a chat as a database. It is a database. Every contact is personal data. Every shared address is personal data. Every photo of a customer property is personal data. The Information Commissioner's Office treats WhatsApp messages exactly the same as a CRM record.

That has two practical implications. First, if a customer makes a Subject Access Request, which is their right to ask what data you hold about them, you have to search WhatsApp and produce the relevant messages. You have one calendar month to respond, free of charge. Second, the storage limitation principle applies. Old chats from finished jobs should not sit on your phone forever.

WhatsApp and contract retention. UK courts have repeatedly held that WhatsApp messages can form part of a contract, and that they are disclosable in legal proceedings. If your message thread agrees the scope and price of a job, that thread is a business record and is subject to the same six year tax retention.

For texts and SMS, the rules are the same. The Privacy and Electronic Communications Regulations layer on top, restricting unsolicited marketing texts, but transactional messages about a live job are fine.

The clean solution is to move customer chat into a proper job management tool with a clear retention policy. The pragmatic solution is to set a quarterly diary reminder to archive and delete WhatsApp threads for jobs that closed more than a year ago, unless you have an active dispute or warranty period running.

The privacy notice your website needs

Every trades business website that collects a single email address through a contact form needs a privacy notice. If you have a "request a quote" box, you need one. If you have a Mailchimp signup, you need one. If you embed a Google Map or run Google Analytics, you need a cookie banner alongside it.

A privacy notice is a plain English page that explains who you are, what data you collect, why, on what legal basis, who you share it with, how long you keep it, and what rights the customer has. The ICO publishes a free template for small businesses on their website. Copy it, change the names, publish it, link it from the footer.

The bare minimum cookie banner. If your site uses anything beyond strictly necessary cookies, you need a cookie banner with a clear Accept and a clear Reject button of equal prominence. The ICO confirmed in 2024 that a "consent or pay" wall is not the only option, but reject must be as easy as accept. Most decent WordPress plugins handle this in five clicks.

The privacy notice also covers your obligations under the Privacy and Electronic Communications Regulations. PECR sits alongside UK GDPR and governs direct marketing by email, text, and phone. The relevant rule for trades is simple: you can email past customers about similar services as a soft opt in, but cold email or text marketing to people who have never bought from you needs explicit consent.

What actually happens when it goes wrong

A laptop showing official correspondence on a desk in a workshop office
The realistic enforcement scenario for a trades business is a customer complaint, a reprimand, and a deadline to fix it. Fines come from ignoring the deadline.

The £17.5 million headline fine number gets a lot of press, but it is the absolute maximum and it is reserved for the Capitas and British Airways of the world. The actual enforcement pattern for small businesses looks very different.

The ICO uses a proportionate and risk based approach. For minor breaches with good faith and quick remediation, action is usually limited to a reprimand or a request for an action plan. Serious breaches, repeated failures, or ignored warnings are where real fines start.

The closest case study to a trades business in recent ICO enforcement is DPP Law, a Merseyside firm fined £60,000 in April 2025 after a cyber attack exposed client data. The fine focused on weak patch management and delayed breach reporting. It is a useful proxy for what the ICO expects of small organisations: take security seriously, report breaches within 72 hours, and be honest when something goes wrong.

The wider trend is fewer enforcement actions but bigger ones. The ICO issued 28 monetary penalty notices in 2025, the highest annual total since UK GDPR came into force, with average fines rising from £150,000 to over £2.8 million. That sounds scary, but the cases driving the average are large security breaches at large organisations, not one van plumbers.

The realistic risk for a trades business is a customer complaint that escalates to the ICO. The customer asks for their data, you cannot produce it within a month, the ICO writes to you, you ignore the letter, and now you have a reprimand on the public register that pops up the next time a commercial client googles your firm. That is the scenario to plan for.

The 72 hour breach reporting rule. If you suffer a personal data breach that is likely to result in a risk to people's rights and freedoms, you must report it to the ICO within 72 hours of becoming aware. Stolen laptop with customer records, lost phone with WhatsApp threads, accidental email to the wrong client. The clock starts when you find out, not when it happened.

A 60 minute compliance audit you can run today

This is the practical bit. Block 60 minutes in the diary, brew a coffee, and work through these seven steps. By the end, you will know exactly where you stand and what is left to fix.

  1. ICO registration check (5 minutes). Search the ICO register of fee payers for your business name. If you are not there, run the registration self assessment at ico.org.uk and pay the £52 fee if needed.
  2. Data inventory (15 minutes). Open a spreadsheet. Five columns: data, location, purpose, retention, shared with. Walk through every system and tool. Write one row per data type.
  3. Security basics (10 minutes). Check that your phone has a screen lock and biometric ID. Check that two factor authentication is on for your email, your CRM, and your accounting software. Update any device that is out of date.
  4. Photo consent (10 minutes). Add a one paragraph photo consent box to your quote template with two tick boxes, one for records and one for marketing. Replace your existing template across whichever software you quote from.
  5. Privacy notice (10 minutes). Pull the ICO small business template. Change the names. Publish it as a page on your website with a footer link. If you do not have a website, write a one page version and email it to customers when you take on a job.
  6. WhatsApp clean up (5 minutes). Set a recurring quarterly diary reminder titled "WhatsApp retention review." When it fires, archive and delete chats from jobs that closed over a year ago and have no live warranty.
  7. Breach response plan (5 minutes). Write down, on one side of A4, what you will do if you lose your phone or laptop, or accidentally email the wrong customer. Step one: contain. Step two: assess. Step three: report to the ICO within 72 hours if it crosses the harm threshold. Save the ICO breach reporting link in your phone notes.

That is the lot. You are now further along the GDPR compliance road than 80 percent of trades businesses I speak to, and you spent less than the cost of a tank of diesel and an hour of your time.

AI tools that take the admin off your plate

The bit that has changed in the last two years is how cheap it has become to automate the boring compliance work. You do not need a data protection officer. You need a couple of tools and a quiet hour to set them up.

For drafting a privacy notice or a customer photo consent paragraph, Claude or ChatGPT will write you a plain English first draft in two minutes. Feed it the ICO template, tell it what your business does, and ask for a version tailored to a UK trades firm. Always read what it produces before you publish it, because the model can quietly invent legal references. Treat it as a fast typist, not a solicitor.

For auditing your existing customer database, AI is useful in a different way. Export your contact list to a CSV, drop it into Claude with the prompt "Identify any personal data fields that are not necessary for delivering a trades service or meeting HMRC retention rules," and you will get a useful list back in seconds. It is the data minimisation principle, done in the time it takes the kettle to boil.

The AI data audit prompt I use. "Act as a UK GDPR consultant. Here is a CSV of customer contact fields. For each field, tell me the likely lawful basis, the minimum retention I should apply, whether it qualifies as special category data, and any data minimisation recommendation. Reply as a table." Two minutes, defensible audit trail, real answers.

For ongoing compliance, the job management platforms most trades already use have started baking GDPR features in. Look for built in data retention rules, customer self service portals where they can update their own details, and audit logs that show who accessed what record. If your current software lacks these, raise it with the supplier. Most are working on them.

The one thing AI cannot do is take responsibility. The data controller is you. If your tool deletes a customer record by mistake, the regulator looks at you, not the software vendor. Use the tools to make compliance faster. Do not use them to outsource the duty.

What tradespeople are saying

Recommended videos

GDPR Explained For Small Business in UK Quick Start Guide

GDPR Explained For Small Business in UK

Jonathan Edwards

UK GDPR Compliance A Guide for SMEs

UK GDPR Compliance: A Guide for SMEs

LegalVision

UK GDPR Update 2026 Key Legal Developments and Compliance Priorities

UK GDPR Update 2026 Webinar

MBLtv

Webinar GDPR for Small and Medium Sized Enterprises

GDPR for Small and Medium Sized Enterprises

URM Consulting

GDPR Essentials for Small Business

GDPR Essentials for Small Business

Sprintlaw

UK GDPR and Data Protection in 2025 Practical Compliance

UK GDPR & Data Protection 2025 Practical Compliance

Myerson Solicitors

Frequently asked questions

If you store any customer name, phone number, or address on a phone, laptop, tablet, or in any cloud service, you almost certainly do. The paper only exemption is technically available but rarely applies in practice in 2026. £47 by Direct Debit. Pay it, sleep better.

Technically the law looks at whether the image plus surrounding context could identify the person. If you have geotagged the post, tagged the customer, or named their road in the caption, you have created identifiable personal data even if the photo itself looks anonymous. The safe route is written consent on the quote.

You have one calendar month to respond. You can keep what you need for tax records, which is six years of invoices and job records under HMRC rules, but you must delete what is outside that. Search your phone, email, WhatsApp, cloud drive, and CRM. Confirm in writing what you have done.

Yes. The customer being a private homeowner is irrelevant. What matters is whether you, as a business, are processing personal data. The moment you write the customer's name on a quote, GDPR applies. The fact that the job is small does not change the rules, although it does affect what the ICO considers proportionate.

Probably yes. A lost device with unencrypted customer data is a breach. Whether it is reportable depends on the likelihood of harm. Names and addresses on a screen with no PIN is reportable. Names and addresses on a phone with biometric ID, remote wipe enabled, and full disk encryption is usually not. Document the decision either way.

Yes, with three changes. Set a retention rule, archive and delete old threads quarterly. Avoid sharing special category data such as health information through it. And when a customer asks what data you hold, remember to search WhatsApp alongside everything else.

It became law on 19 June 2025 with main reforms in force on 5 February 2026. For trades it adds a new seventh lawful basis called recognised legitimate interests, a simpler subject access request standard, and a complaint route through the controller before the ICO. It does not rewrite the core rules. Your existing setup still works.

My verdict

Treat GDPR as operational hygiene, not a legal panic.

The thing I want trades business owners to take away is this. GDPR is not a project. It is a habit. Pay the £52 fee, write a five column data inventory, sort out photo consent on your quote, lock your devices, set a WhatsApp clean up reminder, and publish a privacy notice. That is the lot for 90 percent of trades firms. The compliance work I keep seeing botched is the work nobody started, not the work done badly. Block 60 minutes this week, run the audit in this article, and you will be ahead of most of the industry by Monday morning. The ICO is not coming to fine you. A complaint from a single unhappy customer is the thing that finds you, and the trade firms who survive that complaint are the ones who can produce a one page record of how they handle data when the regulator asks.

If you want a deeper read on the other compliance landmines worth knowing about, the asbestos survey guide, the building control notifications guide, and the Building Safety Act overview sit alongside this one in the academy. The pattern is the same in all of them. Write it down, do the basics well, and the regulator rarely needs to bother you.

Share this article

Ready to Transform Your Business?

Turn every engineer into your best engineer and solve recruitment bottlenecks

Join the TrainAR Waitlist

Stay Updated

Get weekly insights delivered to your inbox.

Recommended Articles

comments powered by Disqus