TaxMTD
Get Started
All Posts
IT Security6 min read

GDPR for Sole Traders: What You Actually Need to Do

There's no GDPR exemption for sole traders. If you handle client data, you have legal obligations. Here's the practical checklist - no jargon, no panic.

TaxMTD Team·4 April 2026
GDPR for Sole Traders: What You Actually Need to Do

Yes, GDPR Applies to You#

There's a common misconception that GDPR (or rather, the UK GDPR and Data Protection Act 2018) only applies to big companies. It doesn't. If you're a sole trader who handles any personal data - client names, email addresses, phone numbers, payment details - you have legal obligations.

The good news: compliance for sole traders is straightforward. You don't need a Data Protection Officer or a 50-page privacy policy. Here's what you actually need to do.

Step 1: Register with the ICO (£40/year)#

Registering with the ICO for data protection on laptop Most sole traders who process personal data need to pay the Information Commissioner's Office (ICO) data protection fee. For sole traders and micro organisations, this is £40 per year.

You don't need to register if you only process personal data for:

  • Core business administration (payroll, accounts) with no marketing
  • Personal, family, or household purposes
  • Maintaining a public register

In practice, if you have a mailing list, send marketing emails, or keep a client database, you need to register. The ICO can fine you for not paying the fee.

Step 2: Know Your Lawful Basis#

Every time you process personal data, you need a lawful basis under Article 6 of UK GDPR. The three most relevant for sole traders are:

The individual has given clear consent for you to process their data for a specific purpose. Used for marketing emails, newsletters, and optional data collection.

Contract#

Processing is necessary for a contract you have with the individual, or because they've asked you to take specific steps before entering a contract. Used for client work - you need their details to deliver the service.

Legitimate Interest#

Processing is necessary for your legitimate interests (or a third party's), unless overridden by the individual's rights. Used for reasonable business activities like following up on enquiries.

Practical tip: For most sole traders, "contract" covers client data processing, and "consent" covers marketing. You rarely need to rely on legitimate interest.

Step 3: Write a Privacy Notice#

You must tell people what you do with their data. A privacy notice should explain:

  • Who you are (your business name and contact details)
  • What data you collect (names, emails, financial details, etc.)
  • Why you collect it (your lawful basis for each purpose)
  • Who you share it with (accountant, payment processor, HMRC)
  • How long you keep it (retention periods)
  • Their rights (access, correction, deletion, complaint to ICO)

This doesn't need to be a legal document. A clear, honest page on your website is fine. If you don't have a website, include it in your terms of engagement.

Step 4: Secure the Data You Hold#

Padlock on laptop keyboard representing data security UK GDPR requires "appropriate technical and organisational measures" to protect personal data. For a sole trader, this means:

Technical Measures#

  • Strong, unique passwords on all accounts (use a password manager)
  • Multi-factor authentication on email, cloud storage, and accounting software
  • Encrypted devices - enable FileVault (Mac) or BitLocker (Windows) on your laptop
  • Up-to-date software - install security patches promptly
  • Secure cloud storage rather than unencrypted USB drives or local folders

Organisational Measures#

  • Don't collect data you don't need - the principle of data minimisation
  • Limit access - only you should have access to client data
  • Secure disposal - shred paper documents, securely delete digital files
  • Vet your tools - ensure your software providers (including your accounting platform) are GDPR-compliant

For more on protecting your digital security, see our guide to cybersecurity for sole traders.

Step 5: Handle Data Subject Requests#

Individuals have the right to:

  1. Access - request a copy of all data you hold about them
  2. Rectification - ask you to correct inaccurate data
  3. Erasure - ask you to delete their data (the "right to be forgotten")
  4. Portability - request their data in a portable format
  5. Object - object to processing based on legitimate interest

You must respond within one calendar month. For most sole traders, these requests are rare and simple to handle - you probably only hold a name, email, and some invoices.

Tax records exception: You cannot delete data that you're legally required to keep for tax purposes. HMRC requires you to keep business records for at least 5 years after the 31 January submission deadline. Tell the individual this if they request erasure.

Step 6: Report Breaches (If They Happen)#

If personal data is accidentally or unlawfully accessed, lost, or disclosed, you must:

  1. Assess the risk - is there a risk to the individuals' rights and freedoms?
  2. Report to the ICO within 72 hours (if there's a risk)
  3. Notify affected individuals without undue delay (if there's a high risk)

A breach could be as simple as sending an email to the wrong person, losing an unencrypted laptop, or having your email account hacked.

The best protection? Use secure, cloud-based tools with MFA enabled, and you dramatically reduce the risk of a reportable breach.

What About the Data (Use and Access) Act 2025?#

The Data (Use and Access) Act came into law on 19 June 2025, updating parts of the UK's data protection framework. Key changes include:

  • Updated rules on international data transfers (ICO guidance published January 2026)
  • A new framework for smart data schemes
  • Changes to how the ICO operates

For most sole traders, the practical impact is minimal - the core GDPR principles haven't changed. But it's worth noting that the ICO's guidance is currently being updated, so check ico.org.uk for the latest.

The ICO Self-Assessment Checklist#

The ICO provides a free self-assessment checklist for sole traders that walks you through your obligations in plain English. If you do nothing else, complete this checklist.

How TaxMTD Protects Your Client Data#

When you use TaxMTD, your financial data is:

  • Stored on encrypted, UK-hosted servers
  • Protected by mandatory MFA on all accounts
  • Connected via read-only Open Banking (bank feeds can never move money)
  • Accessible via token-based API authentication
  • Automatically backed up with disaster recovery

Using GDPR-compliant tools for your accounting is one of the easiest steps towards compliance.

Practical Checklist Summary#

  • Register with the ICO and pay the £40 annual fee
  • Identify your lawful basis for processing (contract + consent for most)
  • Publish a privacy notice on your website or in your terms
  • Enable MFA and encryption on all devices and accounts
  • Don't collect data you don't need
  • Know how to handle subject access requests (1 month deadline)
  • Have a plan for reporting breaches (72 hours to ICO)
  • Keep tax records for 5+ years (you can't delete these)

Further reading: Cybersecurity for Sole Traders · Invoicing Tips for Freelancers · Get Started with TaxMTD

GDPRdata protectionICOsole traderprivacycompliance

Found this useful?

Share it with someone who needs it.

Share this post

Related Posts

Cybersecurity for Sole Traders: 5 Threats You Can't Afford to Ignore in 2026
IT Security

Cybersecurity for Sole Traders: 5 Threats You Can't Afford to Ignore in 2026

UK cyber attacks doubled in 2025, and sole traders are prime targets. Here are the five biggest threats - and practical steps to protect your business and client data.