Guide · Compliance

GDPR and field reports.

Most field reports hold personal data, so UK GDPR applies from collection. Here is what UK SMEs must do about ICO registration, lawful basis, retention and hosting.

Try the demo See pricing

Free forever: 20 reports a month. No card, no trial clock.

Why it matters

Reports usually contain personal data

Names, addresses linked to a resident, and photos of identifiable people are personal data under UK GDPR. The format does not matter: paper, PDF, cloud photo or voice note. The duty to process it lawfully, transparently and securely begins the moment it is collected.

Get the basics right

Three obligations to settle

  1. 1

    Register with the ICO

    Almost all commercial field firms must pay the data protection fee. It is £40 a year for small organisations. Failing to register is a criminal offence.

  2. 2

    Pick a lawful basis

    Contract covers client work; legitimate interests covers safety, compliance and admin records. Consent is rarely the right basis for field data.

  3. 3

    Set a retention period

    Keep data no longer than necessary. A written retention policy, even one page, demonstrates compliance.

Hosting

Where data sits matters

UK GDPR restricts transfers outside the UK without adequacy or safeguards. EU hosting satisfies both UK and EU requirements. Quickler stores all data on Hetzner servers in Germany, is ICO registered C1910464, and provides a Data Processing Agreement on request.

See it work

Field reporting with EU hosting and a DPA

This page is general information, not legal advice. For your business, consult a solicitor or contact the ICO.

Try the demo See pricing

That inspection photo on your phone is personal data. So is the householder's name on the job sheet. UK GDPR does not wait for a server or a signature. It applies from the moment you collect the data, on paper, in a PDF, in a cloud folder or in a voice note. Here is what UK SMEs actually have to do about it.

This page is general information, not legal advice. For advice on your business, consult a solicitor or contact the ICO directly at ico.org.uk.

The short version

  • Most field reports hold personal data. Names, addresses, photos. UK GDPR applies from the moment they are collected.
  • Almost all commercial field service firms must register with the ICO. The data protection fee is £40 per year for small organisations.
  • Pick a lawful basis. Contract or legitimate interests, rarely consent.
  • Keep personal data no longer than necessary. A written retention policy, even one page, is good practice.
  • Where data is hosted matters. EU hosting satisfies both UK and EU requirements.
  • Tell people what you collect. A short data protection notice does the job.

What counts

Your reports almost certainly hold personal data

UK GDPR defines personal data as any information relating to an identified or identifiable natural person. A worker's name, a client's address linked to an identifiable resident, a photograph in which a person is recognisable: all personal data.

Format makes no difference. Paper inspection report, PDF, cloud photo, voice note. The duty to process it lawfully, transparently and securely starts the moment it is collected.

Common data points in UK field reports: the property address where it identifies a named householder; the name and signature of an occupier or site representative; engineer names; photos showing identifiable people; and job reference numbers tied to a client record. Data about organisations is generally not personal data, unless it identifies an individual. A sole trader trading under their own name is the usual exception.

Step one

Register with the ICO. It takes ten minutes

Most organisations that process personal data must pay the ICO's annual data protection fee. For small organisations with fewer than 250 employees and a turnover below £36 million, the fee is £40 per year. Tier 2 is £60. Tier 3 is £2,900.

Exemptions are narrow. Pure domestic use is exempt. Some not-for-profit bodies qualify. Most sole traders and small businesses doing commercial field work must register, and failing to register is a criminal offence.

The ICO's online self-assessment tool at ico.org.uk tells you whether you need to. But registration alone does not make a firm compliant. It is a prerequisite. The real obligations, lawful processing, retention limits, security measures, subject access rights, apply whatever your registration status.

Step two

Pick a lawful basis, and skip consent

UK GDPR requires a lawful basis for every processing activity. For field reports, two matter.

Contract. Where processing is necessary to perform a contract with the data subject, you have your basis. An engineer completing an inspection for a private client processes the client's name and address on a contractual basis. Simple.

Legitimate interests. Where processing is necessary for the legitimate interests of the controller and is not overridden by the data subject's rights, that works too. Health and safety records, compliance records and business admin records typically rely on legitimate interests, provided the processing is proportionate.

Consent is rarely right for field data. It is hard to rely on commercially and drags in withdrawal obligations that are impractical for historical inspection records.

Step three

Keep it no longer than necessary

UK GDPR's storage limitation principle says personal data should be kept no longer than is necessary for the purpose it was processed for. There is no single number for field reports, because the right period depends on why the report was made.

  • Legal compliance records (RIDDOR, gas safety records, EICR records) carry statutory minimum retention periods set by the relevant regulations. Keep these for the statutory minimum at least.
  • Contractual records should generally be kept for the Limitation Act 1980 period: six years for simple contracts, twelve years for contracts made by deed.
  • Safety records (scaffold inspections, risk assessments) should be kept for the statutory minimum where one exists, or six years as general commercial practice.

A written retention policy, even a single page, shows the question has been asked and answered. It protects the firm in an ICO investigation.

Where it lives

Hosting and data residency are not a footnote

UK GDPR restricts transfers of personal data outside the UK without an adequacy decision or appropriate safeguards. Within the UK, and within the EU, processing is generally unrestricted.

For firms using cloud-based field reporting tools, the practical question is blunt: where does the data sit? A tool built on US cloud infrastructure without a Data Processing Agreement or Standard Contractual Clauses may not satisfy UK GDPR's transfer requirements.

Quickler stores all data on Hetzner servers in Germany (EU). EU hosting satisfies both UK GDPR and EU GDPR requirements and sidesteps the transfer question entirely. Quickler is registered with the ICO under reference C1910464, and customers receive a Data Processing Agreement on request. Beyond location, the basics still matter: encryption in transit and at rest, access controls, and deletion on request.

Transparency

Tell people what you are collecting

UK GDPR's transparency principle means data subjects must be told, at or before collection, how their data will be used. For field reports, that usually means a data protection notice in the firm's terms of business and on any form that collects personal data.

The notice must cover: who the data controller is; the lawful basis for processing; what the data will be used for; how long it will be kept; and how the data subject can exercise their rights.

A paragraph at the foot of a job sheet, or a link to a privacy policy on the firm's website, is enough for most field contexts. The ICO's template privacy notices are a sound starting point. Want to see field reporting with EU hosting and a DPA built in? See how it works.

Questions, answered

Do field reports contain personal data under UK GDPR?

Yes, in most cases. A field report holding a worker's name, a property address linked to an identifiable person, or a photo in which a person is identifiable contains personal data under UK GDPR. True whether the report is on paper or digital. The obligations to process it lawfully, securely and to a stated retention period apply from the moment it is collected.

Does a small field service firm need to register with the ICO?

Most organisations that process personal data commercially must pay the ICO's data protection fee and register. Exemptions cover purely personal use and some not-for-profit bodies. Almost all commercial field service firms will need to register. The fee is £40 per year for small organisations. Failure to register is a criminal offence. Check your position at ico.org.uk.

How long should field reports containing personal data be kept?

UK GDPR's storage limitation principle requires personal data be kept no longer than necessary for the purpose it was collected for. Legal compliance records have statutory minimums. Contractual records should be kept for six years. Safety records should be kept for the statutory minimum or six years as general practice. A written retention policy demonstrates compliance.

Does it matter whether data is hosted in the EU or UK?

UK GDPR restricts transfers of personal data outside the UK without an adequacy decision or appropriate safeguards. EU hosting satisfies both UK and EU requirements. For UK SMEs using cloud services, the practical questions are: where is the data physically stored, and does the provider have appropriate security measures and a Data Processing Agreement in place? Quickler stores all data on Hetzner servers in Germany. ICO registered C1910464. DPA available on request.

Keep reading

Related guides