I am a sole trader working from home, how do I prepare for GDPR?

legal updates

You now have to check the basis on which the processing of that data is lawful.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

As we move closer to the implementation of The General Data Protection Regulations (GDPR) in May this year, we are receiving an avalanche of calls to our legal helpline from anxious members, who have been affected by ‘panic stations marketing’ campaigns in and around GDPR.

We have therefore decided to publish some of the most common questions we receive with our answers.

I am a sole trader working from home, how do I prepare for GDPR?

I work from home. I only use paper invoices, I have no employees, don’t keep a marketing mailing list and don’t offer car finance. The only personal data I hold is that which is on invoices. What do I need to do in preparation for GDPR?  

Whether you realise or not, you have already undertaken your information audit and that audit has concluded that the only personal data you hold is that which is on your invoices.  You now have to check the basis on which the processing of that data is lawful. There are 6 lawful bases under the GDPR. Keeping personal data on invoices will be covered by Article 6(b) which states:

“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering not a contract”.

In simple terms as you can’t sell this person a car without knowing who they are, you need that personal data to be able to enter into a contract with them and so you are fine to keep it.

Further, you need to keep those invoices to prepare your accounts for HMRC. This brings in a further lawful basis covered by Article 6 (c) which states:

“Processing is necessary for compliance with a legal obligation to which the controller is subject.”    

In simple terms you are legally required to keep accounting records for 6 years and so holding that data also meets Article 6(c) .

In addition to needing a lawful basis for processing, you have an obligation to ensure the data is accurate and that you do not hold more information than is necessary. Data minimalisation is one of the 6 principles of the GDPR which are set out in Article 5. Article 5 (c) states that personal data shall be:

HaswentWebsites for dealers small and large

Composer is a next-gen automotive platform that has been designed from the ground up to give you an intuitive way to promote your stock. You have extensive stock management options, and you'll gain a brilliantly responsive new website to advertise your stock, starting at just £39.99/month.

               “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”

So, if your invoices ask for an email address but you never send emails, you should remove the box from your invoices to ensure you don’t keep hold of more information than you need.

Finally, you need to ensure you don’t keep data for longer than is necessary and that you look after that data.

In your case, you securely store your invoices in a locked filing cabinet. They are sent to your accountant by special delivery and returned in the same manner and then archived in your loft and then disposed of after 6 years by a registered data disposal company. This will all meet the GDPR standard and so as long as you continue with this business model, you will remain compliant.

Nona BowkisHead of Legal Services / SolicitorRead More by this author

Related Legal Updates

Data Protection is real and mistakes can cost your business

Most fines from the ICO are against large companies that send out unsolicited marketing messages.

Do you know what a personal data breach is?

If a security incident has taken place, you should quickly establish whether a personal data breach has occurred. If yes, promptly take steps to address it, including telling the ICO if required. You need to keep a log of any breaches, record the details, and actions taken.

Are you ready for the UK’s data landscape change?

The ramifications for not having the correct policy and procedures in place could be costly, not only by a fine from the ICO for not paying your fee, but also by being reported for data breach

Goodbye 2021, hello 2022!

Despite an excess of 100 different commission claims hitting the Lawgistics’ desks, not one single dealer has had to part with their money.

Used cars – a treasure trove of personal data and a data breach in the making

Modern cars pair with smart phones and other electronic devices via Bluetooth or USB and absorb huge amounts of our personal data.

Police ordered to disclose information

Citing the provisions of the Data Protection Act 2018.

£820 out of pocket due to a data breach

Ex-employee admitted to three offences of unlawfully obtaining personal data.

Get in touch

Complete the form to get in touch or via our details below:

01480 455500

Vinpenta House
High Causeway

By submitting this quote you agree to our Terms & Conditions and Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.