Skip to content
Misconceptions calendar_today Updated: 6 April 2026 schedule 4 min read

Misconception: I Don't Have Any GDPR Data

Every business processes personal data. Customer names, email addresses, personnel files, supplier contacts - they are all personal data that fall under the GDPR. This article shows why you also have GDPR data.

summarize Key Takeaways
  • check_circle Every business processes personal data, even a sole trader without employees
  • check_circle Customer names, email addresses, phone numbers, and invoice data are all personal data
  • check_circle Data about suppliers, business contacts, and applicants also falls under the GDPR
  • check_circle The definition of personal data is very broad: anything that can identify a person

The misconception

“I don’t have any personal data. I’m a plumber/consultant/builder - I don’t collect data like Facebook does.”

This misconception comes from the association between “data” and big tech. When people hear “personal data”, they think of databases with millions of records, user profiles, and behavioural tracking. That feels very far from a small business with a handful of clients.

But the definition of personal data is much broader than most people realise.

What is personal data?

Personal data is any information that can directly or indirectly identify a natural person. That includes:

The obvious

  • Full name
  • Home address
  • Phone number
  • Email address
  • Date of birth
  • National ID number or social security number

The less obvious

  • IP address
  • Location data
  • Customer number (if it can be linked to a name)
  • Photos of identifiable people
  • Voice recordings
  • Vehicle registration plates
  • CCTV footage

Where you have personal data (and probably don’t realise it)

Your phone

  • Contacts with names, numbers, and email addresses
  • WhatsApp conversations with customers
  • Photos from job sites with identifiable people
  • Call history

Your computer

  • Email inbox with customer correspondence
  • Spreadsheets with customer or supplier lists
  • Invoices with names, addresses, and bank details
  • Quotes with contact information

Your accounting

  • Invoices with customer names and addresses
  • Bank statements showing payment details
  • VAT returns with client information
  • Salary records for employees

Your website

  • Contact form submissions
  • Newsletter sign-ups
  • Analytics data (IP addresses, browsing behaviour)
  • Customer reviews with real names

Your physical workspace

  • Business cards in a drawer
  • Notes with customer details
  • Personnel files in a cabinet
  • Signed contracts

The bottom line

If you run a business, you process personal data. There are virtually no exceptions. A plumber who saves customer addresses for quotes processes personal data. A consultant who keeps a contact list processes personal data. A builder who photographs completed work with identifiable neighbours in the frame processes personal data.

The GDPR doesn’t care about the volume. Whether you have 10 records or 10 million, the same rules apply.

What to do about it

Don’t panic. Having personal data is normal and necessary for running a business. The GDPR doesn’t prohibit processing personal data - it just requires you to do it responsibly:

  1. Know what you have - make an inventory of the personal data you process
  2. Have a reason - ensure you have a valid legal basis for each processing activity
  3. Be transparent - tell people what you do with their data
  4. Keep it safe - take reasonable security measures
  5. Don’t keep it forever - delete data you no longer need
auto_awesome Find out what data you process

GDPRWise scans your website and helps you map all personal data processing in your business. The first step to compliance.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.