GDPR for freelancers: what you actually need to do

GDPR sounds terrifying. It mostly isn't.

When GDPR landed in 2018, everyone panicked. Giant fines! Consent forms! Data processing agreements! And yes, those things exist. But for the average freelancer collecting client names, email addresses, and project files? Your obligations are manageable.

Let's cut through the noise and focus on what you actually need to do.

Does GDPR apply to freelancers?

If you collect, store, or process any personal data about individuals, then yes. Personal data means anything that can identify a person:

• Names and email addresses
• Phone numbers and addresses
• IP addresses and website analytics
• Payment details

If you have a client list, send invoices, or use a contact form on your website — GDPR applies to you.

Do you need to register with the ICO?

Most sole traders processing data only for core business purposes (invoicing, client management, marketing your own services) are exempt from the ICO registration fee. The ICO has a self-assessment tool on their website — takes two minutes.

If you process data on behalf of others (e.g., you're a virtual assistant handling client databases), you'll likely need to register. The fee is £40/year for micro organisations.

The four things you actually need to do

1. Write a privacy notice

Put a privacy notice on your website. It doesn't need to be long. It needs to explain:

• What data you collect (names, emails, project details)
• Why you collect it (to deliver your services, send invoices, communicate about projects)
• How long you keep it (e.g., "for the duration of our working relationship plus 6 years for tax records")
• Who you share it with (e.g., your accountant, payment processor)
• How people can request their data or ask you to delete it

2. Keep data secure

You don't need a server room. You need basic good practice:

• Use strong passwords and two-factor authentication on everything
• Don't email spreadsheets full of client data
• Use encrypted cloud storage (Google Drive, Dropbox — both are fine)
• Lock your laptop when you leave it

3. Only collect what you need

GDPR's "data minimisation" principle means you shouldn't collect data you don't use. If your contact form asks for a phone number but you never call anyone, remove the field.

4. Have a plan for data requests

Under GDPR, anyone can ask you to:

• See their data (Subject Access Request) — you have 30 days to respond
• Delete their data (Right to Erasure) — unless you have a legal reason to keep it (like tax records)
• Correct their data — if it's wrong, fix it

In practice, most freelancers never receive these requests. But knowing the process means you won't panic if one arrives.

What changed in 2025?

The Data (Use and Access) Act 2025 made some changes to UK data protection law. The core GDPR obligations haven't gone away, but some processes have been simplified:

• The rules around "legitimate interest" (processing data without explicit consent for reasonable business purposes) have been clarified — good news for freelancers who market their services
• Some record-keeping requirements have been streamlined for small organisations
• Cookie consent rules have been tweaked (but you still need a cookie banner if you use analytics)

Common GDPR myths

• "I need consent for everything" — Not true. You can process data under "legitimate interest" or "contractual necessity" (e.g., you need a client's address to send an invoice).
• "I need a Data Protection Officer" — Only if you're a large organisation processing data at scale. Freelancers don't.
• "I'll be fined millions" — The ICO focuses on large-scale breaches and wilful negligence. A freelancer with a reasonable privacy notice and basic security isn't their target.

The honest summary

Write a privacy notice. Keep client data secure. Don't collect what you don't need. That covers 90% of GDPR for freelancers. The remaining 10% only kicks in if you're handling sensitive data at scale — which most of us aren't.