"GDPR is a big-company thing" is a comforting myth that's cost more than one sole trader a fine. If you hold any personal data about clients, customers or suppliers — names, emails, addresses, payment details — data protection law applies to you too. The good news: for a typical sole trader, compliance is a short, one-time setup plus some sensible habits.

The ICO fee most sole traders owe

If you process personal data on computers (which, in 2026, is essentially everyone), you probably need to pay the data protection fee to the Information Commissioner's Office (ICO) and register — for most small businesses this is a modest annual fee (in the region of £40–£60; check the current amount). Plenty of sole traders don't realise they owe it. It's cheap, quick, and the ICO can fine you for not paying — so it's the first box to tick.

The principles, in plain English

  • Have a reason. You need a lawful basis for holding data — usually "to fulfil a contract" (serving your client) or consent (marketing emails).
  • Tell people. A simple privacy notice explaining what data you collect and why — a short page on your website or sent to clients.
  • Collect only what you need, and don't keep it forever.
  • Keep it secure (see below).
  • Respect rights. People can ask what data you hold and ask you to delete it — you must respond.

Marketing emails have extra rules

Sending marketing emails? On top of GDPR, PECR rules generally mean you need consent to email marketing to individuals — no buying lists, no emailing people who didn't opt in. Use a proper email platform that handles opt-ins and unsubscribes (and keeps you compliant) rather than BCC-ing from your inbox.

Security: the same habits that stop fraud

Data protection and fraud prevention share a toolkit:

  • Two-factor authentication on email, banking and anywhere holding client data.
  • Strong, unique passwords — a password manager beats reusing "the usual one".
  • Encrypted devices and regular backups — a lost laptop shouldn't mean lost client data.
  • Care with what you share — don't email sensitive data unprotected; keep client information on a tidy business account, not scattered across personal apps.
If the worst happens A serious data breach — a lost device, a hack exposing personal data — may need to be reported to the ICO within 72 hours. Knowing that in advance turns a panic into a process. Keeping your data tidy and secured (a dedicated business setup helps) makes breaches far less likely in the first place.

The takeaway

For a sole trader, GDPR compliance is mostly: pay the ICO fee, write a short privacy notice, get consent for marketing, and lock things down with 2FA and backups. An afternoon, then good habits. We'll point you to the ICO registration and make sure your setup keeps client data (and you) safe. Get started.