What counts as personal data under UK GDPR? It is more than you think.

10 April 20267 min read

If your business collects customer emails, you probably know that is personal data. But what about the IP addresses your website logs automatically? The CCTV camera above your shop door? The spreadsheet of employee phone numbers on your office laptop? Under UK GDPR, all of it counts. And every piece of it comes with legal obligations.

Most small businesses are processing far more personal data than they realise. That gap between what you think you hold and what the law says you hold is where compliance problems start.

The legal definition is deliberately broad

Article 4(1) of the UK GDPR defines personal data as "any information relating to an identified or identifiable natural person." An identifiable person is someone who can be recognised, directly or indirectly, by reference to a name, an identification number, location data, an online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

The key word is "indirectly." You do not need to know someone's name for the data to be personal. If you can single them out, or if someone else could combine your data with other information to identify them, it counts. The ICO's guidance is clear: if there is a reasonable chance that anyone could use the data to identify a person, it is personal data.

What this looks like in a real business

Here are examples that catch small business owners off guard. Every one of these is personal data under UK GDPR:

Customer order details. Names, delivery addresses, email addresses, phone numbers. If you run a Shopify store, WooCommerce site, or take orders over the phone, you are processing personal data with every sale.
Employee and contractor records. Names, addresses, bank details, National Insurance numbers, emergency contacts, performance reviews, even sick notes. HR spreadsheets are some of the most sensitive personal data a small business holds.
IP addresses. Your web server logs them automatically. Google Analytics collects them. Under UK GDPR, an IP address is an online identifier that can be linked to an individual, which makes it personal data.
Cookie identifiers. Recital 30 of the UK GDPR specifically calls out cookie identifiers, device fingerprints, and similar tracking technologies. If your website sets cookies that can distinguish one visitor from another, you are processing personal data.
CCTV footage. If your cameras capture identifiable individuals (and they almost always do), that footage is personal data. The ICO requires a lawful basis, signage, retention limits, and a process for handling access requests from anyone recorded.
Job applications and CVs. Every CV you receive contains personal data. If you keep a folder of past applications "just in case," you are storing personal data and need a retention policy for it.
Contact forms and enquiries. Someone fills in your website contact form with their name and email. That is personal data from the moment it hits your inbox.
Social media handles. The ICO has confirmed that a social media username is personal data if it uniquely identifies an individual, even if you do not know their real name.
Email addresses (including work ones). "jane.smith@company.com" identifies a specific person. It is personal data regardless of whether it is a personal or business email.

The surprise one: Pseudonymised data (where you replace names with codes or reference numbers) is still personal data under UK GDPR. Recital 26 is explicit about this: if the data can be re-identified using additional information, it remains personal data. Only truly anonymous data, where re-identification is not reasonably possible, falls outside the scope.

Why this matters for your business

Every piece of personal data you hold comes with obligations. You need a lawful basis for processing it (Article 6). You need to tell people what you are doing with it (Articles 13 and 14). You need to keep it secure (Article 32). You need to delete it when you no longer need it (Article 5). And you need a written record of all of this (Article 30).

If you do not know what personal data you hold, you cannot meet any of these requirements. That is why the ICO's first recommendation to any business is to create a Record of Processing Activities (ROPA). It is the foundation that everything else sits on.

The ICO does not focus its enforcement exclusively on large organisations. Their guidance for small businesses states clearly that the rules apply to every data controller regardless of size. The most common violations they investigate in small businesses are exactly the basics: no valid lawful basis, missing privacy notices, and inadequate vendor agreements. These are fixable problems. But you have to know what data you hold before you can fix them.

The common misconception: "We only have a small amount of data"

Volume does not matter. A sole trader with 50 customer email addresses has the same legal obligations as a company with 50,000. The UK GDPR does not have a small business exemption. If you process personal data, the rules apply.

What often happens is a business owner thinks of "personal data" as a customer database. They forget about the employee details in their payroll provider, the analytics data from their website, the CCTV system in their office, and the contact form submissions sitting in a shared Gmail inbox. Each of those is a separate processing activity that should appear in their ROPA.

A marketing agency with three employees might have 15 to 20 distinct processing activities once you count website analytics, email marketing lists, client contact details, employee records, freelancer contracts, project management tools with client data, cloud storage, and their own website's contact form. Each one involves personal data. Each one needs a documented lawful basis, retention period, and vendor assessment.

What to do about it

Start with an audit of what personal data your business actually holds. Go through every tool, every spreadsheet, every inbox, every physical filing cabinet. For each one, ask:

What personal data does this contain?
Why am I collecting it? (What is my lawful basis?)
Who has access to it?
Does any third-party tool or service process it on my behalf?
How long do I keep it?
Is there a data processing agreement in place with every vendor that touches it?

Write the answers down. That is the beginning of your ROPA. Once you have it, you can identify the gaps: missing DPAs, unclear retention periods, processing activities without a documented lawful basis.

Not sure what personal data your business holds? Rowpa scans your business profile and builds your complete Record of Processing Activities automatically. It identifies every processing activity, maps your vendors, and flags the gaps. Takes about 15 minutes.

Check your compliance free

Sources

This post is for information only and does not constitute legal advice. If you need legal advice about your data protection obligations, consult a qualified solicitor.