Do cleaning businesses need to register with the ICO?

Most cleaning businesses that process personal data for commercial purposes do need to register with the ICO. This includes sole traders who hold client names, addresses, contact details or staff records. The registration fee is £40 per year for small organisations. Not registering when required is a criminal offence with a maximum fine of £4,350.

Is GDPR a legal requirement for sole traders in the UK?

Yes. UK GDPR (the post-Brexit version of GDPR) applies to all UK businesses regardless of size, including sole traders. The moment you hold a client's name, address, phone number or email in the course of business, you are a data controller and UK GDPR applies to you. The ICO's small business exemption applies to enforcement proportionality, not legal obligation.

What data can I hold about my cleaning clients?

You can hold client data that is necessary for providing your cleaning service — name, address, contact details, access instructions and payment records. You must have a lawful basis for holding each type of data, keep it secure, retain it only as long as necessary, and tell clients what data you hold via a privacy notice.

Do I need client consent to hold their details?

No. You do not need consent to process client data for the purpose of fulfilling a cleaning contract. The lawful basis is 'contract' — you need the data to perform the service. Consent is not the only lawful basis under UK GDPR, and for service delivery it is not the appropriate one. You would only need consent for sending marketing communications to prospects who have not yet bought from you.

What happens if I have a data breach as a cleaning business?

If you experience a personal data breach that is likely to result in a risk to the rights and freedoms of individuals — for example, a client's key and address being stolen together — you must notify the ICO within 72 hours of becoming aware of the breach. If the breach is likely to cause high risk to individuals, you must also notify those individuals directly.

How long should I keep client records?

UK GDPR does not prescribe specific retention periods for most client data — you should keep data only for as long as it is needed for the purpose it was collected. In practice, for active clients this means the duration of the contract. For former clients, a reasonable period to handle disputes or warranty claims is common — typically 6 years to align with the Limitation Act 1980. Staff payroll records should be kept for 6 years; right to work documents for the duration of employment plus 2 years.

GDPR for cleaning businesses: what UK sole traders and small cleaning companies actually need to do

Most cleaning business owners assume GDPR is for big companies — retailers with customer databases, tech firms with millions of users, healthcare providers handling medical records. It's tempting to think a sole trader with a handful of regular domestic clients and a WhatsApp group for staff is safely below the threshold. That assumption is wrong, and it's one the Information Commissioner's Office (ICO) is increasingly willing to correct.

UK GDPR — the post-Brexit version of the EU's General Data Protection Regulation, now enshrined in the UK GDPR and Data Protection Act 2018 — applies to all UK businesses regardless of size. There is no small business exemption from the law itself. There is only proportionality in enforcement. Understanding the difference, and what you're actually required to do, is the purpose of this guide.

£40

ICO registration fee per year for small organisations

£4,350

Maximum fine for failing to register with the ICO

72 hrs

Time limit to report a serious data breach to the ICO

Yes. The moment you hold a client's name, address, phone number or email address in the course of running your business, you are a data controller under UK GDPR. A data controller is any person or organisation that determines the purposes and means of processing personal data. That description fits almost every cleaning business operating in the UK today.

Personal data is defined broadly under UK GDPR: it is any information relating to an identified or identifiable natural person. A client's name alone is personal data. A client's address alone may be sufficient to identify them. A phone number linked to a name certainly is. If you have a spreadsheet of client names and addresses, a notes app with entry codes and contact numbers, or a WhatsApp conversation with booking details — you are processing personal data and UK GDPR applies to you.

The ICO's small business exemption is often misunderstood. It does not mean you are exempt from UK GDPR. It means that the ICO takes a proportionate approach to enforcement for smaller organisations — they are less likely to face a multi-million pound fine than a large data processor who suffers a catastrophic breach. But the legal obligations are the same. The duty to register with the ICO (where required), to have a lawful basis for processing, to provide a privacy notice to clients, and to keep data secure — all of these apply to a sole trader running a domestic cleaning round just as they apply to a national facilities management company.

Post-Brexit, UK GDPR operates independently of EU GDPR. If you only operate in the UK and have no EU clients, EU GDPR does not apply to you. UK GDPR does. For practical purposes in 2026 the two frameworks remain closely aligned, but references to regulatory guidance should be to the ICO rather than to EU data protection authorities.

What data cleaning businesses typically hold

It's worth auditing precisely what personal data your cleaning business actually holds, because the list is often longer than owners initially realise. For client-facing operations, the typical data set includes:

Client name and address — the most basic form of personal data, held by virtually every cleaning business
Contact number and email — used for booking confirmations, access arrangements, and chasing invoices
Key codes and entry instructions — alarm codes, door entry numbers, keysafe combinations, gate codes
Access notes — information about pets, preferred entry arrangements, security preferences, any access restrictions
Payment details — bank account details for bank transfer clients, or stored card tokens if you use a payment processor
Service history and booking records — dates, frequency, specific instructions, complaints or feedback

If you have employees, workers or subcontractors, the data set expands significantly and becomes more sensitive:

National Insurance numbers — required for payroll; classified as a special identifier under UK GDPR
Bank account details — needed to pay wages
Right to work documents — passports, biometric residence permits, share codes
DBS certificate results — Disclosure and Barring Service checks, which are criminal record data and attract heightened obligations
Emergency contact details — personal data about third parties (family members) held without their direct relationship with you
Absence and sickness records — which may reveal health information, itself a special category under UK GDPR
Disciplinary records — records of formal warnings or investigations

The sheer breadth of this data is why GDPR compliance for cleaning businesses requires a structured approach rather than an assumption that the law doesn't apply.

ICO registration — who needs it

The Information Commissioner's Office is the UK's independent regulatory authority for data protection. Most organisations that process personal data for commercial purposes are required to pay a data protection fee — this is commonly referred to as "registering with the ICO".

For most cleaning businesses, the relevant fee tier is Tier 1: £40 per year, which applies to micro-organisations (fewer than 10 employees) and sole traders with a turnover below £632,000. This fee covers the full year and registration takes approximately 10 minutes on the ICO's website.

The exemption from the registration requirement applies only to processing that is carried out for purely personal or household purposes — for example, keeping your own address book at home. It does not apply to running a business, even if that business is small. If you are invoicing clients, managing bookings, or holding access codes as part of a commercial cleaning operation, you are processing data for business purposes and you need to register.

⚠ Criminal offence, not just a civil penalty

Not registering with the ICO when you should be registered is a criminal offence under section 61 of the Data Protection Act 2018, not just a civil penalty. The maximum fine is £4,350. Registration takes 10 minutes and costs £40 per year. There is no good reason to delay it.

Check whether you need to register using the ICO's self-assessment tool at ico.org.uk/registration. The ICO publishes a public register of organisations that have paid the fee, which is searchable. Some commercial clients — particularly schools, landlords and facilities managers — check this register before awarding cleaning contracts.

Lawful basis for processing

Under UK GDPR, you must have a lawful basis for every type of personal data processing you carry out. There are six lawful bases in total. For cleaning businesses, three are primarily relevant:

Contract — you need the data to perform a contract with the individual, or to take steps at their request before entering into a contract. This covers client name, address, contact details, access codes and service history — all the data you need to actually do the job.
Legal obligation — you are required to process the data to comply with a legal requirement. This covers staff payroll records (HMRC obligations), right to work checks (Immigration Act 2014), and certain health and safety records.
Legitimate interests — processing is necessary for your legitimate interests (or those of a third party), and those interests are not overridden by the individual's rights. This can cover marketing communications to past clients, and some operational data analytics. It requires a balancing test.

ℹ Consent is not always the right basis

You do not need consent to process client data for the purpose of fulfilling a cleaning contract. Consent is not the only lawful basis — and for service delivery it is not even the best one. Using consent for operational data creates problems: clients can withdraw consent at any time, which would make it impossible to deliver the service. The correct basis for service data is 'contract'. Consent is appropriate for marketing to prospects who have not yet bought from you.

For marketing emails or SMS messages to existing clients about new services, you can rely on legitimate interests — but you must carry out and document a Legitimate Interests Assessment (LIA), and you must give clients an easy way to opt out. For marketing to people who have never bought from you, you will generally need consent under the Privacy and Electronic Communications Regulations (PECR) as well as UK GDPR.

The key discipline is to identify your lawful basis before you start processing, not retrospectively. The ICO's guidance is clear that you cannot switch between lawful bases after the fact.

What your privacy notice must cover

You are required under UK GDPR to provide individuals with a privacy notice — sometimes called a fair processing notice — that tells them what you do with their personal data. The notice must be provided at the point of data collection, or as soon as practicable thereafter. The legal requirement is that it covers:

Who you are — your name and contact details as data controller (and your ICO registration number)
What data you collect — the categories of personal data you hold about them
Why you collect it — the purposes for which the data is processed
Your lawful basis — which of the six lawful bases you are relying on for each purpose
How long you keep it — your data retention periods, or the criteria used to determine them
Who you share it with — any third parties who receive the data (accountants, payroll providers, insurance companies)
Individuals' rights — the right to access their data, the right to rectification, the right to erasure, the right to restrict processing, and the right to complain to the ICO

The privacy notice does not need to be a lengthy legal document. A single-page notice on your website, or a short paragraph in your booking confirmation email, is entirely adequate for most cleaning businesses. The ICO provides a template tool at ico.org.uk that generates a compliant privacy notice in under 15 minutes.

For clients you already hold data about, you should provide your privacy notice as soon as reasonably practicable — typically by email or a note with the next invoice.

Data security obligations

UK GDPR requires you to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data you hold. For a cleaning business, this translates into practical steps that are neither technically complex nor expensive:

Device security — if you use a phone or tablet for client data, it must be protected by a passcode or biometric lock. If you use a shared device, consider whether client data should be accessible to everyone who uses it.
Email and cloud storage — avoid storing client lists in unprotected spreadsheets in easily accessible cloud folders. Use folder-level or file-level password protection, or use a dedicated business management tool.
Paper records — if you keep paper booking sheets, client cards or key logs, store them in a locked location. Dispose of them by shredding, not by putting them in the recycling bin.
Key and access code storage — see the dedicated section below on key management. This is one of the most legally sensitive areas for cleaning businesses and warrants particular attention.
Staff access — only staff who need access to specific client data to do their job should have access to it. A new member of staff cleaning one area of a client's home does not need access to the client's full account history.

If you experience a personal data breach — a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — you must assess the risk. If the breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware of it. If the risk is high, you must also notify the affected individuals directly.

Examples of notifiable breaches for a cleaning business include: a client's key being stolen along with any information that identifies which property it belongs to; a phone containing an unencrypted client list being lost; or an email containing client addresses being sent to the wrong recipient.

! Key and address together = notifiable breach if lost

Storing a client's key and address in the same place — whether on a paper label, in a phone contact, or in a notes app — is a data security risk. If that data is lost or stolen, you have a notifiable breach and a very uncomfortable conversation with the client. Keep key references and client addresses separate.

Staff data obligations

If you employ or engage cleaners, your data obligations increase materially. Staff data is generally more sensitive than client data — it includes financial and identification information, and may include health data and criminal record information.

Key obligations for employee data under UK GDPR:

NI numbers and bank details — process only for payroll purposes; store securely; do not share with third parties other than HMRC and your payroll provider
Right to work documents — you are required by law to check and retain copies of right to work documents. Retain for the duration of employment plus 2 years after the employment ends
DBS certificates — DBS certificate results are criminal record data, which is a special category under UK GDPR. You can only hold the result (satisfactory/unsatisfactory) and the date — not the full certificate. You should not photocopy or retain the certificate itself beyond the checking process
Sickness and absence records — health information is special category data, requiring an additional condition for processing beyond the standard lawful basis. For employment purposes, the additional condition is typically "substantial public interest" or "employment, social security and social protection" under Schedule 1 of the Data Protection Act 2018
Staff privacy notice — you must provide employees with their own privacy notice covering the data you hold about them as an employee, separate from any client-facing privacy notice

Retention periods for staff data: payroll records — 6 years from the end of the tax year they relate to (HMRC requirement); right to work documents — duration of employment plus 2 years; accident records — 3 years from the date of the incident for adults, longer for minors.

Key management and access codes

Holding a client's front door key or alarm code is one of the most legally sensitive responsibilities a cleaning business can take on. It sits at the intersection of data protection law, physical security, and your liability under contract. Getting it wrong has consequences that go beyond a regulatory fine.

The core data protection issue is that a key combined with an address becomes a security risk of a different order to either piece of information alone. A key by itself is useless without an address. An address by itself, without a key, gives no access. Together, they give a burglar everything they need. UK GDPR's requirement for appropriate security measures is particularly pointed when it comes to this combination.

Best practice for key and access code management:

Separate key reference from address — use a coded reference system so that the key tag identifies the client by a code (e.g. "K-047") rather than by name or address. The code is only meaningful if someone also has access to the matching ledger.
Encrypted digital storage for codes — alarm codes, keysafe combinations, and gate codes should be stored in an encrypted password manager or secure business management system, not in a plain text notes app or unprotected spreadsheet
Physical key security — keys should be stored in a locked key cabinet, not in a desk drawer or kitchen cupboard. If keys are kept at a staff member's home, they should be in a locked box.
Key log — maintain a written or digital record of which keys have been issued to which staff member, with date issued and date returned. This creates an audit trail if a key is lost.
Key insurance — check whether your public liability insurance policy includes cover for key loss and lock replacement. If not, it is worth adding. The cost to a client of replacing door locks and reprogramming an alarm after a lost key can easily exceed £500.
Client notification — tell clients in your privacy notice that you hold their access information and what security measures you have in place. This builds trust and satisfies your transparency obligations.

Some cleaning management software — including Cadi — stores access codes separately from client addresses by design, so that even a data breach exposing one part of the record does not automatically compromise the other. This is the kind of technical measure that UK GDPR contemplates when it talks about "data protection by design and by default".

GDPR compliance checklist for cleaning businesses

Use this checklist as a starting point for getting your cleaning business into compliance. It is not exhaustive, but it covers the areas that matter most and are most commonly overlooked.

1

Register with the ICO if required. Use the ICO's self-assessment tool at ico.org.uk/registration to check whether you need to pay the data protection fee. For most cleaning businesses the fee is £40/year. Do this before anything else — it is a legal requirement and the fine for non-registration is up to £4,350.
2

Write a simple privacy notice. Use the ICO's template tool or draft your own. It needs to cover: who you are, what data you hold, why you hold it, your lawful basis, how long you keep it, who you share it with, and how individuals can exercise their rights. Publish it on your website and include a link or copy in your booking confirmation.
3

Audit what data you hold. Make a list of every category of personal data your business holds, where it is stored, and who has access to it. This includes data in your phone contacts, email, WhatsApp, spreadsheets, paper records, and any third-party software (booking systems, accounting software, payroll tools).
4

Check your lawful basis for each data type. For each category of data, identify which of the six lawful bases you are relying on. Client data for service delivery = contract. Payroll records = legal obligation. Marketing to past clients = legitimate interests (with an LIA). Marketing to new prospects = consent. Document this.
5

Secure your devices and storage. Enable passcode/biometric lock on all devices used for business. Move client data out of unprotected plain text files or spreadsheets. Implement a separate key reference system so key tags do not identify the property. Store paper records in a locked location and dispose of them by shredding.
6

Train any staff on data protection basics. Staff who handle client data need to understand what data they have access to, why it is confidential, and what to do if they think there has been a breach. This doesn't require a formal training course — a 20-minute briefing with a written record that it took place is adequate for most small cleaning businesses.
7

Set data retention periods. Decide how long you will keep different categories of data and stick to it. For client data: the duration of the contract plus a reasonable dispute-resolution period (often 6 years to align with the Limitation Act). For payroll records: 6 years. For right to work documents: employment plus 2 years. Delete or destroy data when the retention period expires.
8

Know how to handle a breach. If personal data is lost, stolen, or accidentally disclosed, assess the risk. If there is a risk to individuals' rights and freedoms, report to the ICO within 72 hours using the ICO's online portal. Keep a record of all breaches, even those you decide do not need to be reported — the ICO can ask to see your breach log.

Data types, lawful basis and retention at a glance

The table below summarises the main categories of personal data held by cleaning businesses, the appropriate lawful basis, suggested retention period, and key security requirement for each.

Data type	Lawful basis	Retention period	Security requirement
Client name / address	Contract	Duration of contract + 6 years	Password-protected system; do not link to key reference
Client contact details	Contract	Duration of contract + 6 years	Device passcode; secure cloud storage; avoid unprotected spreadsheets
Key codes / access codes	Contract	Duration of contract; delete promptly on termination	Encrypted storage; separate from address; coded key labels
Staff NI / bank details	Legal obligation (payroll)	6 years from end of tax year	Restricted access; encrypted storage; share only with HMRC / payroll provider
DBS certificates	Legal obligation / legitimate interests	Result only — do not retain certificate	Special category data — heightened security; record result only (satisfactory/unsatisfactory + date)
Payment records	Legal obligation (HMRC) / contract	6 years from end of tax year	Secure accounting software; do not store raw card data