Do field reports contain personal data under UK GDPR?
Yes, in most cases. A field report holding a worker's name, a property address linked to an identifiable person, or a photo in which a person is identifiable contains personal data under UK GDPR. True whether the report is on paper or digital. The obligations to process it lawfully, securely and to a stated retention period apply from the moment it is collected.
Does a small field service firm need to register with the ICO?
Most organisations that process personal data commercially must pay the ICO's data protection fee and register. Exemptions cover purely personal use and some not-for-profit bodies. Almost all commercial field service firms will need to register. The fee is £40 per year for small organisations. Failure to register is a criminal offence. Check your position at ico.org.uk.
How long should field reports containing personal data be kept?
UK GDPR's storage limitation principle requires personal data be kept no longer than necessary for the purpose it was collected for. Legal compliance records have statutory minimums. Contractual records should be kept for six years. Safety records should be kept for the statutory minimum or six years as general practice. A written retention policy demonstrates compliance.
Does it matter whether data is hosted in the EU or UK?
UK GDPR restricts transfers of personal data outside the UK without an adequacy decision or appropriate safeguards. EU hosting satisfies both UK and EU requirements. For UK SMEs using cloud services, the practical questions are: where is the data physically stored, and does the provider have appropriate security measures and a Data Processing Agreement in place? Quickler stores all data on Hetzner servers in Germany. ICO registered C1910464. DPA available on request.