GDPR for UK Cleaning Businesses:
What You Actually Need to Do

GDPR has been law in the UK since 2018 — now preserved as UK GDPR following Brexit — and most cleaning business owners have been vaguely anxious about it ever since. They've heard about fines. They've seen the scare headlines. And they've largely responded by ignoring it, hoping that as a small business they won't end up on the Information Commissioner's Office's radar.

That's understandable. But it's also a risk that's completely unnecessary to carry, because for most cleaning and property maintenance businesses, genuine compliance is far less complicated than the anxiety around it suggests.

This guide cuts through the jargon. It explains what data you actually hold, what the law actually requires, and the five practical things you need to have in place. It is not legal advice — if you have a complex situation, speak to a solicitor. But it will give you a clear picture of where you stand and what to do next.

The data you hold — and the parts most businesses miss

Before you can comply with GDPR, you need to understand what personal data your business actually processes. For a cleaning or FM business, this falls into three categories — and most owners are only thinking clearly about the first one.

Client data

The obvious one. Names, email addresses, phone numbers, billing addresses, site access details, and any notes about the client's premises or preferences. This is the data in your CRM, your quoting tool, and your invoicing system. Most businesses have a reasonable instinct to protect this, even if the formal basis isn't clearly documented.

Staff and operative data

This is where most small cleaning businesses have gaps. Your employees' and operatives' personal data is subject to exactly the same GDPR obligations as client data. This includes:

• Names, addresses, National Insurance numbers, bank details
• Right-to-work documentation and copies of passports or visas
• DBS check results — which are special category data under UK GDPR and carry stricter obligations
• Sickness records, disciplinary notes, performance records
• Emergency contact details for next of kin

If this data is sitting in a shared Google Sheet, an email thread, or a folder on someone's laptop — that's a compliance problem. Not necessarily one that will attract a fine tomorrow, but one that creates real risk if there's ever a breach, a disgruntled ex-employee, or a TUPE transfer where the data needs to be handed over.

Prospect and contact data

The category that's most frequently overlooked entirely. Every business card from a networking event, every email address from an enquiry form, every contact you've added to a spreadsheet after a cold outreach campaign — that's personal data, and it's subject to GDPR. If you're marketing to these people, you need a lawful basis and a way for them to opt out.

The five things you need to have in place

UK GDPR has seven core principles and dozens of specific obligations. For a cleaning business of typical size, the following five areas cover the vast majority of practical risk.

1 A lawful basis for each type of processing

For every category of personal data you hold, you need a documented reason — a "lawful basis" — for holding it. There are six lawful bases under UK GDPR; for a cleaning business, three are most relevant:

• Contract: You need the data to fulfil a contract with the individual. This covers client contact details and employee records held to manage their employment.
• Legitimate interests: You have a genuine business need to hold the data, and that need isn't outweighed by the individual's privacy rights. This typically covers prospect data and some operational records.
• Legal obligation: The law requires you to hold the data. Right-to-work records and payroll data fall here.

You don't need to tell people their lawful basis in plain sight — but you need to have it documented internally, so that if the ICO ever asks, you can demonstrate you've thought about it. A simple internal record (a spreadsheet is fine) that maps each category of data to a lawful basis is sufficient for most small businesses.

2 A privacy notice your clients and staff can actually find

You are legally required to tell people what data you hold about them, why you hold it, how long you'll keep it, and what their rights are — at the time you collect the data, or as soon as practicable after. This is your privacy notice (sometimes called a privacy policy).

For clients, this typically means a link in your quote or contract email and a page on your website. For staff, it's usually a document provided at the start of employment — sometimes called a staff privacy notice or fair processing notice.

The key things your privacy notice must cover:

• Who you are and how to contact you (and your Data Protection Officer, if you have one — most cleaning businesses below 250 staff don't need a formal DPO)
• What data you collect and why
• Your lawful basis for each category
• Who you share data with (payroll providers, software platforms, subcontractors)
• How long you keep data before deleting it
• Individual rights: access, rectification, erasure, objection

The ICO provides a free privacy notice generator that is genuinely useful and will produce something serviceable. The important thing is that you have one, it's accurate, and people can actually find it.

3 A data retention policy — and the discipline to follow it

UK GDPR does not permit you to hold personal data indefinitely. You must only keep it for as long as necessary for the purpose for which it was collected, and then delete it securely.

For a cleaning business, typical retention periods look like this:

• Active client records: Hold for the duration of the contract, plus a reasonable period after (commonly 6 years, matching the Limitation Act for contract disputes)
• Employee records: Generally 6 years after the employment ends (required for PAYE and pension purposes)
• DBS check results: The DBS recommends retaining results for no longer than 6 months after a recruitment decision, unless there are exceptional circumstances
• Unsuccessful job applications: 6 months is standard practice
• CCTV footage (if you operate it): 31 days is typical; longer requires justification

The problem for most businesses isn't knowing these rules — it's actually following them. Data that should have been deleted 3 years ago is still sitting in an email folder or a shared drive. This matters because if you experience a data breach, the ICO will look at what data was exposed. Old data that should have been deleted becomes unnecessary exposure.

4 A process for responding to Subject Access Requests

Any individual whose data you hold has the right to request a copy of it — this is called a Subject Access Request, or SAR. You have one calendar month to respond, free of charge. Failure to respond, or responding late, is one of the most common triggers for ICO complaints.

SARs most commonly come from:

• Ex-employees involved in a dispute (by far the most common scenario in cleaning businesses)
• Clients who want to know what you hold about them
• Individuals in your marketing database requesting removal

You don't need elaborate software to handle SARs. What you need is:

• A named person in the business responsible for receiving and responding to them
• A clear internal process: acknowledge within 5 days, compile data, respond within 30 days
• Knowledge of where your data actually lives — so you can find it when you need to

That last point is where businesses routinely fail. If your client data is split across three systems, your employee records are in a mix of folders and email threads, and your operative schedules are in someone's WhatsApp, responding to a SAR becomes a significant operational event. Centralising your data in well-structured systems is as much a GDPR obligation as it is good business practice.

5 A breach detection and reporting process

If you experience a personal data breach — a laptop stolen, an email sent to the wrong person, unauthorised access to a system — you are required to assess it and, if it meets the threshold, report it to the ICO within 72 hours.

The threshold for mandatory reporting is where the breach is likely to result in a risk to individuals' rights and freedoms. A password-protected laptop with encrypted data being stolen may not meet that bar. A spreadsheet of client bank details being emailed to the wrong address almost certainly does.

What you need in place is simple:

• A way for staff to report suspected breaches internally without fear of blame (the cover-up is always worse than the breach)
• A named person to assess severity and make the reporting decision
• The ICO's online reporting tool bookmarked and ready: ico.org.uk
• A record of all breaches assessed, even those not reported — the ICO can ask to see this

The three mistakes cleaning businesses make most often

Based on the most common ICO complaints and enforcement actions in service industries, these are the areas where cleaning businesses most frequently fall short.

Using personal WhatsApp for operative scheduling

Personal WhatsApp groups containing staff names, phone numbers, site addresses, and schedule information are a GDPR headache. When a member of staff leaves, that data doesn't leave with them — it stays in their personal phone indefinitely. When there's a dispute, you have no control over what they do with it.

Moving operative communications to a business system with proper access controls — even something as simple as a dedicated business phone or a managed messaging platform — removes this exposure and is straightforwardly better for the business regardless of compliance.

Keeping data "just in case"

The instinct to hold onto everything — old client records, former staff files, years of invoices — is understandable but creates unnecessary risk. Every piece of personal data you hold beyond its retention period is a liability that serves no purpose. Run an annual data audit. Delete what you should have deleted. Document that you've done it.

Assuming your software provider handles it

When you use a third-party platform to manage client data or staff records, you remain the data controller — you are responsible for what happens to that data. The software provider is your data processor. You should have a Data Processing Agreement (DPA) in place with every significant software provider you use.

Most reputable software companies provide DPAs on request or automatically through their terms of service. The key things a DPA should cover: what data is processed, on what instructions, with what security measures, and what happens to data when you stop using the service.

If you're using a software platform that stores UK client or staff data on servers outside the UK or EEA — particularly in the United States — there are additional transfer mechanism requirements. Reputable providers will have addressed this in their standard terms, but it's worth confirming.

A note on ICO registration

Most organisations that process personal data are legally required to register with the ICO and pay a data protection fee. For most small cleaning businesses, this is £40 per year (Tier 1: turnover under £632,000 and fewer than 10 staff) or £60 per year (Tier 2). Sole traders with no employees who only process data for their own accounts and marketing may be exempt.

You can check whether you need to register using the ICO's self-assessment tool at ico.org.uk. If you're not registered and you should be, register now — the fine for non-registration is up to £4,350, and the ICO actively pursues it.

The short version

GDPR compliance for a cleaning business is not as complicated as the anxiety around it suggests. The fundamentals are:

1. Know what data you hold — client records, staff records, and prospect contacts. Document them.
2. Have a lawful basis for holding each category — contract, legitimate interests, or legal obligation covers almost everything a cleaning business does.
3. Give people a privacy notice — clients at the point of quoting, staff at the start of employment.
4. Set retention periods and actually delete data — the data you shouldn't still be holding is pure liability.
5. Have a plan for SARs and breaches — a named person, a simple process, and the ICO's contact details.

None of this requires a lawyer or a specialist consultant for a typical cleaning business. It requires an afternoon, a document, and the discipline to follow through. The businesses that get into trouble are almost never the ones that tried and fell short — they're the ones that never started.