GDPR Self Employed

GDPR: A guide for self-employed tradespeople

1. What does the GDPR mean for tradespeople?

The GDPR means that businesses must change the way they store and manage personal data and give the individual (also known as a data subject) control over what happens with their data.

For tradespeople, this means their clients, customers, contractors, and any other data subjects, have the right to:

• The right to access their data at any time, free of charge.

• The right to know why their data is being used.

• The right to remove their data and permanently delete it.

• The right to transfer their data to another provider.

• The right to be informed that their data is being collected.

• The right to amend/correct their personal data.

• The right to restrict what their data is used for.

• The right to be notified within 72 hours if a data breach occurs.

The GDPR applies to any business that collects and processes data belonging to individuals living in the U.K – regardless of the business size. This means that even small construction businesses and self-employed tradespeople will have to comply with GDPR.

• Do you store contractor details in an app on your phone? Do you use a spreadsheet to log customers’ details?

• Businesses can no longer presume that individuals give consent for a business to collect and use their personal data.  So, tradespeople will have to consider how they collect data. For example, a website with a pre-ticked cookie policy will not be allowed.

• If individuals wish to receive marketing information from you or confirm your business can use their personal data, the individual must complete a form or tick a box to opt-in.

• If you are a large construction company with over 250 people, GDPR states that you will need to employ or outsource a Data Protection Officer (DPO) to oversee the use of data in the business.

• Even if you are a self-employed tradesperson and use a third-party company to conduct data processing, you could still be subject to significant penalties if the company you use fails to comply with GDPR.

• Additionally, if you store data on a cloud service provider (also knows a ‘the cloud’), GDPR still applies.  

• If a breach occurs and the data for your customers could be at risk, you must report the security failure to the individual within 72 hours of first becoming aware of it.

2. How do tradespeople need to prepare for the GDPR?

TWI GDPR has put together some simple-to-follow steps to help make your business GDPR compliant:

1. Consider what personal data you currently collect from customers and clients. Do you need to be collecting the data? Are you handling it in a compliant, organised way?

2. Locate where the information you hold is stored. If you save details manually on a spreadsheet or store them via a digital database, is the data secure?

3. Conduct a data cleanse and delete old or unused data. GDPR will not allow businesses to hold on to old data that is not being used or data that is being misused.

4. Assess how you collect the personal data. Are you obtaining it in a compliant way? Tradespeople should review their websites’ privacy statements and any other form of communication with clients thoroughly.

5. Provide your data subjects with a fair processing notice to inform them how you are using the data. GDPR means individuals will have the right to know exactly how the data is used. Make sure you are transparent with your customers, clients, and contractors.

6. Put security measures in place to prevent data breaches.

A lack of recourse is the main implication for most small businesses.

3. What happens if tradespeople do not comply with the GDPR?

Businesses that do not take GDPR seriously will be subject to significant penalties.

TWI GDPR have tried to simplify the main points of GDPR to create this article but for more in-depth information please contact

Don't miss these guides: