Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- Overview
Practical Steps And Common Mistakes
- 1. Audit your data in plain English
- 2. Match each use of data to a lawful basis
- 3. Use a privacy notice that reflects reality
- 4. Put the right terms in supplier contracts
- 5. Keep less data, for less time
- 6. Improve internal security and access
- 7. Prepare for rights requests and complaints
- 8. Have a breach response plan
- 9. Watch for marketing and tracking issues
- Key Takeaways
Most UK businesses hold personally identifiable data long before they think of themselves as “handling data”. A customer email list, staff records, website enquiry form, delivery address database, CCTV footage, or CRM notes can all count. The problem is that founders often make the same early mistakes: collecting more information than they need, copying privacy wording from another business without matching their actual processes, and sharing customer or employee details with software providers without checking what terms are in place.
If you get this wrong, the risk is not just regulator attention. You can also face customer complaints, messy internal processes, supplier disputes, and avoidable reputational damage. This guide explains what personally identifiable data means in a UK business context, when the issue usually comes up, what practical steps matter most, and where businesses commonly get caught before they sign contracts, launch online, or spend money on setup.
Overview
Personally identifiable data is information that identifies a person directly or can identify them when combined with other information. In the UK, businesses that collect, store, use, or share this kind of data usually need to comply with privacy and data protection rules, including the UK GDPR and the Data Protection Act 2018.
- Work out what personal data your business actually collects and why.
- Use a privacy notice that matches your real practices, not a generic template.
- Check your lawful basis for collecting and using each category of data.
- Review contracts with software providers, payroll services, marketing tools, and other data processors.
- Keep only the data you need, for as long as you need it.
- Put basic security, access controls, and breach response steps in place.
- Make sure staff know what to do with customer, employee, and supplier information.
What Personally Identifiable Data Means For UK Businesses
Personally identifiable data usually means information that points to a living individual, either on its own or when combined with other details your business holds.
UK law generally uses the term “personal data” rather than “personally identifiable data”, but in practice businesses are often talking about the same idea. If your business can identify someone from the information you hold, or could do so reasonably easily, you are likely dealing with personal data.
What counts as personally identifiable data?
Obvious examples include a person’s name, home address, email address, phone number, and date of birth. But the definition is wider than that.
Business owners often miss less obvious examples, such as:
- customer account numbers linked to named records
- IP addresses and device identifiers
- CCTV footage where individuals can be recognised
- job applicant CVs and interview notes
- employee payroll records and emergency contact details
- support tickets and CRM notes about a client contact
- delivery instructions that identify a household or individual
- location data tied to a user profile
Some information is more sensitive and carries extra risk. This includes data about health, ethnicity, religious beliefs, sexual orientation, trade union membership, genetics, or biometric identification. Criminal offence data also has special rules. If your business processes these categories, you should be especially careful before you collect it and before you share it with anyone else.
Why the distinction matters
The main legal issue is not the label. The main issue is whether your business is using information in a way that brings data protection duties into play.
Once you collect personal data, the law expects you to be clear about:
- why you are collecting it
- what legal basis you are relying on
- who you share it with
- how long you keep it
- how you keep it secure
- what rights the individual has
This affects day-to-day operations more than many founders expect. It touches your website, app flows, employment contracts and paperwork, supplier contracts, customer terms, marketing, HR processes, IT systems, and internal training.
Controllers and processors
Most SMEs need to understand one basic distinction early: are you deciding what happens to the data, or are you handling it on someone else’s instructions?
If your business decides why and how personal data is used, you are usually a controller. If you process data for another business under their instructions, you are usually a processor. Some businesses are both, depending on the activity.
This matters because your responsibilities, your contract wording, and your risk profile can change depending on your role. A software startup, marketing agency, payroll provider, online retailer, and employer may each wear different hats across different data sets.
When This Issue Comes Up
Personally identifiable data becomes a legal issue as soon as your business starts collecting information about real people in the course of trading, hiring, marketing, or operating systems.
Many founders assume privacy compliance is something to tidy up later. In reality, it often appears at the earliest stages of setting up and trading in the UK.
When you launch a website or sell online
If your website has a contact form, newsletter sign-up, checkout page, account login, analytics tools, cookies, or live chat, you are already collecting personal data. This is one of the first points where businesses need to get privacy wording, a privacy policy, internal processes, and third-party supplier arrangements aligned.
Selling online adds further issues, including:
- payment provider integrations
- delivery and fulfilment partners
- returns processing
- customer service systems
- marketing consent and unsubscribe handling
When you hire staff or contractors
Recruitment and HR involve large amounts of personally identifiable data. CVs, references, right to work records, payroll data, absence records, disciplinary files, and performance notes all need careful handling.
This is where small businesses often over-collect information or keep records indefinitely because no one has decided on a data retention approach. Another common problem is storing staff records in shared folders with broad internal access.
When you use software providers and outsourced services
Most modern businesses rely on cloud tools. CRMs, accounting platforms, marketing systems, booking software, payroll services, support desks, and document storage providers may all process personal data on your behalf.
Before you sign a contract, check what data is involved, whether the provider is acting as a processor, what security commitments they give, and whether the agreement covers required data protection terms. Businesses often spend money on setup first and only later discover the provider’s terms do not fit their compliance needs.
When you collect special category or high-risk data
The compliance burden goes up when the data is more sensitive or the processing is more intrusive. Examples include health businesses collecting patient details, employers handling medical evidence, or technology businesses using facial recognition or location tracking.
Even if your business is not in a heavily regulated industry, one product feature can create a higher-risk privacy issue. This is where founders often get caught, especially when product teams focus on functionality before someone checks whether the data collection is actually necessary.
When you buy or sell a business, list, or database
Data issues also arise in transactions. If you are buying customer lists, acquiring a business, migrating to a new system, or restructuring group entities, you need to check whether the original collection and intended transfer are lawful.
Businesses sometimes assume a database is an asset like any other. It is not that simple. The rights and expectations attached to personal data can limit how it can be reused or transferred.
Practical Steps And Common Mistakes
The best starting point is to map what personal data you hold, why you hold it, and who can access it. Most privacy problems in small businesses come from unclear internal practices rather than one dramatic failure.
1. Audit your data in plain English
You do not need a complicated spreadsheet to begin. You do need a realistic picture of what your business is doing.
At a minimum, identify:
- what categories of people you collect data about, such as customers, prospects, staff, applicants, suppliers, or users
- what data you collect about each group
- where the data comes from
- why you use it
- which systems hold it
- who receives it internally and externally
- how long you keep it
This exercise often reveals duplicate systems, legacy mailing lists, unnecessary fields in onboarding forms, and inconsistent team practices.
2. Match each use of data to a lawful basis
You need a valid legal basis for using personal data. Consent is only one option, and many businesses rely on it too broadly or too casually.
Depending on the context, a business may rely on contract, legal obligation, legitimate interests, consent, or another recognised basis. The right basis depends on what you are doing. For example, you may need customer address details to deliver an order, employee payroll data to meet legal obligations, and marketing consent for certain promotional communications.
The common mistake is choosing a basis because it sounds easiest, rather than because it fits the activity. If you rely on consent where it is not practical to manage withdrawals, or where the relationship makes consent questionable, problems follow.
3. Use a privacy notice that reflects reality
Your privacy notice should explain clearly what personal data you collect, why, how long you keep it, who you share it with, and what rights people have. It needs to reflect your actual business model.
Businesses often copy a competitor’s notice or use a generic version that mentions processing they do not carry out and misses processing they do. That creates risk because your transparency statement may be inaccurate from day one.
If your business deals with multiple groups, such as customers, job applicants, and employees, separate notices or layered wording may make more sense than one crowded page.
4. Put the right terms in supplier contracts
If another business processes personal data for you, your contract may need specific data protection wording. This often applies to payroll providers, CRM platforms, marketing agencies, outsourced support teams, and IT service providers.
Before you sign, check the agreement covers matters such as:
- the subject matter and duration of processing
- the type of personal data involved
- the categories of individuals affected
- the processor’s obligations to act only on instructions
- confidentiality commitments
- security measures
- sub-processor use
- assistance with data subject rights and breaches
- deletion or return of data at the end of the arrangement
This is not just a paperwork point. If your supplier suffers a breach or mishandles customer data, your business can still face serious fallout.
5. Keep less data, for less time
One of the easiest risk reductions is collecting less information in the first place. Ask whether each field in your form, onboarding flow, or HR process is genuinely needed.
Retention matters too. If your business keeps old CVs, inactive account records, former employee files, or outdated lead lists forever, you are increasing exposure without a business reason. A sensible data retention policy should reflect your legal obligations and operational needs, not habit.
6. Improve internal security and access
Data protection is not just about legal wording. It also depends on whether your business has basic technical and organisational controls.
For many SMEs, practical improvements include:
- using strong passwords and multi-factor authentication
- restricting access based on job roles
- avoiding shared logins
- encrypting devices where appropriate
- keeping software updated
- training staff not to send sensitive data carelessly
- setting clear rules for remote work and personal devices
A common mistake is assuming a small business is too small to be targeted. In practice, weak internal habits create the biggest risk, especially around email, spreadsheets, and cloud storage.
7. Prepare for rights requests and complaints
Individuals may ask for access to their data, request corrections, object to certain uses, or ask for deletion in some circumstances. If no one in the business knows how to recognise and handle these requests, deadlines can be missed.
Set a simple internal process so staff know who should receive requests, what checks are needed, and how the business will respond. This matters just as much for employee records as for customer data.
8. Have a breach response plan
Even careful businesses can suffer incidents, such as an email sent to the wrong recipient, a lost laptop, a hacked account, or an exposed database. The key is responding quickly and consistently.
Your plan should cover:
- how staff report incidents internally
- who assesses the seriousness of the issue
- what immediate containment steps are needed
- whether affected individuals need to be told
- whether the Information Commissioner’s Office may need to be notified
- what records the business keeps about the incident
Businesses often make the situation worse by delaying escalation because they hope the issue will disappear.
9. Watch for marketing and tracking issues
Email marketing, SMS campaigns, cookies, ad tracking, and profiling can create separate compliance issues. A contact list collected for one purpose cannot always be reused freely for another.
This is especially relevant for startups using growth tools and automated marketing journeys. The legal question is not just whether the software can do it. The question is whether your business told people about it, has a lawful basis, and can honour opt-outs properly.
FAQs
Is personally identifiable data the same as personal data?
Usually, yes in practical business discussions. UK law more commonly uses the term “personal data”, which covers information that identifies a living person directly or indirectly.
Does business contact information count as personal data?
Often, yes. A named employee’s work email address, direct phone number, or job-related contact details can still be personal data if they identify an individual.
Do small businesses need a privacy notice?
In most cases, yes. If your business collects personal data through a website, customer onboarding, recruitment, or operations, you will usually need clear privacy information for the people concerned.
Can we keep customer data indefinitely in case it becomes useful later?
No, not as a general rule. Personal data should not be kept for longer than necessary for the purpose it was collected, subject to any legal or legitimate retention needs.
Do we always need consent to collect personally identifiable data?
No. Consent is only one possible lawful basis. Many business activities rely on other bases, such as performing a contract, complying with legal obligations, or legitimate interests, depending on the circumstances.
Key Takeaways
- Personally identifiable data usually falls within the UK concept of personal data, and the rules can apply to customer, employee, applicant, supplier, and user information.
- Your business should identify what data it collects, why it collects it, where it is stored, who receives it, and how long it is kept.
- A privacy notice should reflect your actual practices, not copied wording from another business.
- Supplier contracts matter where third parties process personal data on your behalf, especially for software, payroll, marketing, and outsourced services.
- Collecting less data, limiting retention, and improving access controls are some of the most effective ways to reduce risk.
- Staff need simple internal processes for handling data requests, complaints, and breach reporting.
- Sensitive data, tracking tools, and business transactions can create extra privacy issues that should be checked before you sign a contract or launch a new process.
If your business is dealing with personally identifiable data and wants help with privacy notices, data processing agreements, supplier contracts, or breach response planning, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.





