Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Why Is Recording Customer Data Such a Big Deal?
- What Counts As Customer Personal Data?
- What Does GDPR Mean for My Business?
- What Are The Lawful Bases for Recording Customer Data?
- Do I Need Consent For Video Or Audio Recordings?
- How Should I Store Customer Data Securely?
- How Long Can I Keep Customer Data?
- What Rights Do Customers Have Over Their Data?
- What Should My Privacy Policy Cover?
- What About Data Protection Policies And Staff Training?
- Practical Steps To Recording Customer Data Lawfully
- What Happens If I Get It Wrong?
- Key Takeaways: Recording Customer Data Lawfully in the UK
Ever wondered, "How can I record customer data and stay on the right side of the law?" You're not alone. Whether you’re jotting down a client’s email for your newsletter, using CCTV in your shop, or thinking about recording conversations for quality assurance, it’s essential to follow UK data protection laws. Not only can mishandling customer data harm your reputation, but it can also bring serious legal trouble (we’re talking fines up to £17.5 million!).
So, what does compliance really mean-and how does the General Data Protection Regulation (GDPR) fit in? Below, we’ll break down what counts as customer data, which rules you must follow, and how to build strong, practical data protection habits from the start. If you’re handling any kind of identifiable information in your business, this guide is for you.
Why Is Recording Customer Data Such a Big Deal?
Recording and storing customer information is a routine business activity. You might log enquiries through a contact form, maintain a customer CRM, register loyalty card holders, or even record phone calls. But the moment you collect any information that can identify someone-like their name, address, email, phone number, or even CCTV footage-you’re handling “personal data” under UK law.
The rules for handling personal data are strict. The General Data Protection Regulation (GDPR), as incorporated into UK law through the Data Protection Act 2018, sets out clear standards on how you can collect, use, store, and share this information.
Why so strict? It comes down to trust and safety. Customers want to know that their information is in safe hands, and the law wants proof that businesses are treating this data fairly and securely.
What Counts As Customer Personal Data?
Think you’re only collecting “harmless” info? The GDPR’s definition of personal data is broad, covering any detail that can identify a living person. This includes:
- Names, emails, phone numbers, and addresses
- Online identifiers (like IP addresses or cookies)
- Membership or loyalty card details
- Order histories and payment information
- CCTV or video recordings that show someone’s face or behaviour
- Audio call recordings
- Even “indirect” identifiers-like unique reference numbers tied to a person
If you’re unsure what you collect, start by mapping out all the ways you “i record” or capture customer details-sometimes, data collection can happen in ways you don’t expect.
What Does GDPR Mean for My Business?
Under the GDPR, you must follow strict rules if you collect or process any customer’s personal data-whether you run a solo operation or a growing team. The main requirements are:
- Lawful basis: Only collect and use personal data if you have a valid legal reason (also known as a “lawful basis”-more on this in a moment).
- Transparency: Tell people what data you’re collecting, why you need it, and how long you’ll keep it, through a clear Privacy Policy.
- Minimisation: Only ask for the minimum information needed to fulfil your purpose. Don’t collect “just in case”.
- Security: Take steps to protect data from loss, unauthorised access, or misuse.
- Retention: Don’t keep data longer than necessary.
- Customer rights: Allow people to access, correct, or delete their data and to complain if they think you’ve misused it.
Failing your obligations can mean complaints to the ICO (the UK’s data regulator), damage to your reputation, or, in the worst cases, massive fines.
What Are The Lawful Bases for Recording Customer Data?
You can’t collect customer details “just because”-you need a lawful basis under the GDPR. The main options for small businesses are:
- Consent: Customers have given clear permission for you to process their data (especially relevant for marketing emails or recording calls).
- Contract: You need the data to fulfil a contract (for example, to ship an online order).
- Legal obligation: It’s needed to comply with the law (like keeping financial records for HMRC).
- Legitimate interests: You have a genuine business reason, unless this is outweighed by the customer’s rights (like limited analytics or some customer support scenarios).
Always identify and record your lawful basis before collecting any data. For consent, be sure it’s freely given, specific, informed and unambiguous. If someone asks, you should be able to explain why you need their data in plain English.
Do I Need Consent For Video Or Audio Recordings?
One of the trickiest areas for businesses is recording conversations (telephone or in-person) or video, such as through CCTV.
If you’re asking, “Can I record video or audio in my business without consent in the UK?”, the answer is rarely straightforward. Here’s what you need to know:
- GDPR and video/audio: If your recordings identify or could identify a person-even indirectly-they’re personal data and subject to GDPR.
- Consent isn’t always required: For purposes like security (CCTV in a shop), you might rely on “legitimate interests”. But in most cases, you must tell people the recording is happening (for example, with clearly displayed signs).
- Recording staff or calls: Always let people know if your calls or meetings are being recorded-for example, a pre-recorded message, or a visible recording symbol in video meetings.
- Covert recording (i.e., done secretly): is almost always problematic under the GDPR, unless there’s a very compelling reason (e.g., for crime prevention in rare cases). Avoid unless you have specific legal advice.
For more on this, see our guide to CCTV and workplace recording and be wary of the rules on video recording without consent in the UK.
How Should I Store Customer Data Securely?
Good data stewardship is about more than just having strong passwords (though that helps!). Under the GDPR, you’re required to have technical and organisational measures in place to guard against loss, unauthorised access, or data breaches. Here are the basics:
- Store electronic data on encrypted and password-protected systems
- Lock away or shred physical paperwork (no, the filing cabinet isn’t obsolete yet!)
- Regularly review who in your team has access to what data
- Put robust policies in place for responding to data breaches
- Don’t share customer info through unprotected channels (like unencrypted email)
If you use cloud services (which many small businesses do), make sure your supplier complies with UK data protection laws.
How Long Can I Keep Customer Data?
A key GDPR principle is that you should only keep personal data as long as you actually need it for your original purpose. This might mean:
- Deleting marketing data when someone unsubscribes
- Removing customer profiles after a certain period of inactivity
- Shredding application forms after a recruitment round has ended
Set out your rules for retention and deletion in your Privacy Policy, and stick to them. If you don’t have a clear retention schedule, now’s the time to create one.
Once you no longer need data, delete it securely-don’t just move it to another folder!
What Rights Do Customers Have Over Their Data?
Data subjects (your customers) have several important rights under the GDPR, including the right to:
- See what personal data you hold (“subject access”)
- Have inaccurate data corrected
- Have their data deleted (“the right to be forgotten”)
- Object to their data being processed for direct marketing
- Request restriction or portability of their data
You must have processes in place to handle these requests (often called “data subject access requests”), and you generally have one month to respond. Knowing your responsibilities here is essential.
For more, check out our guide to GDPR basics for UK businesses.
What Should My Privacy Policy Cover?
Your Privacy Policy is the document that tells customers exactly what you do with their data:
- What data you collect and how
- Your reasons for collecting it (the lawful basis)
- Who you share data with and why
- How long you keep data
- How customers can access, correct, or delete their data
- How to complain if they think you’ve mishandled their information
By law, this must be accessible and written in plain English-no jargon! Check out our tips for writing compliant privacy notices.
What About Data Protection Policies And Staff Training?
Following the rules isn’t just about the boss knowing what to do. You need company-wide habits that everyone follows, and that’s where policies and training come in:
- Have an internal data protection policy covering your processes
- Train staff on their data protection responsibilities (for example, how to spot a phishing email or what to do in case of a data breach)
- Review your practices regularly and adapt as needed
If you process customer data in quantity, you might also need to appoint a Data Protection Officer (DPO), or at least a staff member responsible for compliance.
Practical Steps To Recording Customer Data Lawfully
Ready to fine-tune your data recording habits? Here’s a quick checklist for UK firms:
- List every way you collect (“i record”), use, and store customer data (sales forms, video, emails, cloud storage, etc.)
- Identify your lawful basis for each activity-get explicit consent where required
- Write (or update) your Privacy Policy and make it accessible to customers
- Display notices for any video or audio recording, informing customers and visitors
- Train staff on data protection responsibilities
- Implement technical safeguards (passwords, access controls)
- Regularly review what data you hold and securely delete what you no longer need
- Be ready to respond to customer data requests within one month
- Get tailored advice if you’re ever in doubt-every business is different!
If you want a closer look at the steps involved in GDPR compliance, you might find our Business Startup Checklist helpful as well.
What Happens If I Get It Wrong?
Breaching the GDPR is taken seriously by the Information Commissioner’s Office (ICO). Outcomes can include:
- Investigations and audits by the ICO
- Reputational damage and lost customer trust
- Compensation claims by affected customers
- Fines up to £17.5 million or 4% of annual turnover (whichever is higher)
Most breaches are caused by lapses in process or poor training, not malicious intent. Protect your business and reputation-build good data practices from the start.
Key Takeaways: Recording Customer Data Lawfully in the UK
- Businesses must comply with GDPR and UK data protection law when recording or using customer data
- Only collect data for specific, lawful purposes, and be transparent about what you record
- Consent is required for many recording activities, especially calls and videos-when in doubt, inform customers and get their okay
- Keep customer data secure, and don’t hold onto information longer than you need
- Have a clear, up-to-date Privacy Policy and internal data protection processes in place
- Train your staff, review your practices, and be ready to handle data subject requests
- When in doubt, get tailored legal advice so you’re protected from day one!
Do you need help with your Privacy Policy, understanding GDPR, or practical steps to record customer data lawfully? Get in touch with the Sprintlaw team for a free, no-obligation chat on 08081347754 or email team@sprintlaw.co.uk.
