Every contract you send, every form someone fills in, every email you store. Personal data is at the heart of it all. Here's how to handle it right.

Whether you're a freelancer sending your first contract or a growing business managing hundreds of clients, GDPR applies to you. This guide cuts through the complexity to give you a clear, practical understanding of what personal data is, what the law requires, and how to stay on the right side of it.

What counts as personal data?

Personal data isn't limited to names and email addresses. Under GDPR, it's defined as any information that can identify a person, directly or indirectly. That's a much broader net than most people realise.

The test is simple: if someone could reasonably look at the information and work out who it refers to, it's personal data, and the rules apply.

Personal data is …

Personal data covers a wide range of information. This includes basic identity details such as name, date of birth, and national ID, as well as contact information like email addresses, phone numbers, and home or work addresses. Financial data, such as bank accounts, payment cards, and transaction history, also falls under this category, along with digital identifiers like IP addresses, cookies, location data, and device IDs. Biometric and media content, including photos, audio recordings, and video footage, is equally considered personal data. Finally, certain categories such as health information, religion, and ethnicity are treated as sensitive data and handled with extra care.

When to be extra careful

Personal data flows through everyday business activities more than most people notice. These are the moments that warrant extra attention:

• Contracts and agreements: these routinely contain names, signatures, contact details, and sometimes financial terms. Think carefully about who can access them.

• Sharing documents: before forwarding a contract or agreement, consider whether the recipient actually needs to see all the personal details it contains.

• Storing data: don't retain personal data longer than necessary. Set expiry dates wherever possible and review what you're holding regularly.

• Using third-party tools: every service you use to process or store data must be GDPR-compliant and listed in your privacy policy. Check each tool's data processing terms.

• Handling requests from individuals: people have legal rights over their data. Be ready to respond when someone asks to access, correct, or delete what you hold about them.

Your legal obligations under GDPR

If you collect or process personal data in the EU, or from EU residents, you are legally bound by the General Data Protection Regulation (GDPR). Non-compliance can result in significant fines. The core principles are straightforward:

Lawful purpose

Only collect data you have a clear, legitimate reason for. Under GDPR, this means you must have a valid legal basis before processing any personal data, such as the person's consent, a contractual obligation, or a legitimate interest that doesn't override the individual's rights.

Accuracy

Keep data up to date and correct it when it's wrong. You are responsible for ensuring that the personal data you hold is accurate and, where necessary, kept current. Individuals also have the right to request corrections to inaccurate data you hold about them.

Security

Store data securely and protect it from unauthorised access or misuse. This means putting appropriate technical and organisational measures in place, such as encryption, access controls, and regular security reviews. If a data breach occurs, you may be legally required to report it to the relevant supervisory authority within 72 hours.

Data minimisation

Delete data when it's no longer needed. Don't hoard. You should only collect the minimum amount of personal data necessary for your stated purpose, and you must not retain it longer than required. Having a clear data retention policy helps you stay compliant and reduces your risk exposure.

Transparency

Tell people how you use their data. Clearly, in your privacy policy. Individuals have the right to know what data you collect, why you collect it, how long you keep it, and who you share it with. Your privacy policy should be written in plain language and easy to find.

Individual rights you must respect

Under GDPR, the people whose data you collect, known as data subjects, have legally protected rights. You need processes in place to handle these requests promptly:

• Right of access: anyone can request a copy of the data you hold about them.

• Right to rectification: if their data is inaccurate, they can ask you to correct it.

• Right to erasure: also known as "the right to be forgotten." They can ask you to delete their data.

• Right to restriction: they can ask you to limit how you use their data in certain circumstances.

• Right to data portability: they can request their data in a format that lets them take it elsewhere.

• Right to object: they can object to certain types of processing, including direct marketing.

Why it matters for your business

GDPR compliance isn't just about avoiding fines, though those can reach up to €20 million or 4% of annual global turnover. More fundamentally, handling personal data responsibly builds trust with your clients and partners. It signals that you take their privacy seriously.

In a world where data breaches make headlines and customers are increasingly aware of their rights, a solid data handling practice is a genuine competitive advantage. Not just a legal checkbox.

Also, make sure any tools you use to process contracts or personal data are listed in your privacy policy and are themselves GDPR-compliant. Ask your providers for their Data Processing Agreements (DPAs) if you don't already have them on file.

Disclaimer: This article is provided for general guidance and informational purposes only. It does not constitute legal advice. You should consult with a qualified legal professional to ensure your privacy policy and contracts meet your specific legal and regulatory requirements.