Skip to content

What Limits Does the GDPR Place on My Company Collecting Customer Data in England? 

Table of Contents

As a business owner, you must ensure that your company handles sensitive information, including consumer data, safely and securely. This is important from a customer service perspective. Additionally, it is a requirement of the General Data Protection Regulation (GDPR). It is essential that your company fully complies with the GDPR due to the powers given to the Information Commissioner’s Office (ICO) to issue fines of up to £17.5m to businesses that fail to do so. This article will explore the limits the GDPR establishes on customer data collection in England to help your business avoid hefty fines from the ICO.

What Limits Does the GDPR Place Upon My Company’s Collection of Customer Data?

The GDPR attaches great importance to customer information. In particular, the GDPR sets rules regarding pieces of personal information that can identify the customer, such as their: 

  • name; 
  • address; or 
  • telephone number.

Some of the main rules set by the GDPR regarding customer data include:

  • your organisation must only keep customer data for as long as reasonably necessary;
  • you must ensure your company handles all customer data openly and transparently; and
  • your business must ensure that it does not collect information that is irrelevant, excessive or outside the purpose given to the customer.

Let us explore each of these limits in turn below.

1. Only Store Customer Data Whilst it Remains Useful

The GDPR and ICO require your business to only keep information for as long as it is practical. This means that your organisation should delete any customer data which no longer serves a useful purpose.

So let us quickly consider two similar scenarios below:

  • a customer orders one item from your website two years ago and, in the process, clicks ‘yes’ to a question about wishing to be subscribed to your email newsletter; and
  • a customer orders one item from your website two years ago but clicks ‘no’ to the question about email newsletter subscription.

In the first scenario, the customer’s email address remains useful information because the individual asks your company to continuously send them an email newsletter until any date upon which they unsubscribe.

However, in the second scenario, it is questionable whether you need to keep the email address of a one-off customer from two years ago who has no interest in email correspondence. Your business should assess whether to delete the data within its next data audit.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Handle All Customer Data Openly and Transparently

It is important to inform customers of your responsibilities and intentions regarding their information. Many businesses do so through a Data Privacy Policy (or similar), which can live on the company website. 

The GDPR makes clear that an individual should be made aware, in advance, of any scenario in which you may disclose their data to other parties or agencies. You may have noted that some organisations provide you with a booklet or PDF file explaining the situations in which they will pass your information to others. An actual life situation in England is with car insurance providers, who routinely inform potential and existing customers that they may send their details to a central register or fraud agencies to guard against insurance fraud.

3. Avoid Collecting Irrelevant or Excessive Information

One of the ICO’s main concerns involves businesses collecting irrelevant or excessive information. Instead, the ICO expects organisations to sieve such data and only record information allowing the parties to conduct business with each other.

For example, suppose a customer enters a shop to purchase milk. The ICO would disapprove if the cashier attempts to record their full name, postal address and phone number. This is because it is irrelevant to the transactional relationship.

In contrast, if an individual enters a bank to open a new bank account, the need for accurate ID would warrant collecting their full name, address, driving licence, and passport details. This is because all this information is relevant to confirming the individual’s identity. In this way, the GDPR and ICO focus on an actual need for information rather than setting hard lines. In reality, this means that your business must be able to provide reasoning for collecting certain types of personal data. Additionally, you must demonstrate that you do not breach the GDPR’s collection terms. 

Key Takeaways

It is wise for your company to limit the amount of customer data in its possession. Doing so limits the risk of non-compliance with the GDPR whilst also lowering the risk of a hefty ICO fine in the event of a cyber attack (because less customer information is at risk of theft).  From a financial standpoint, storing a lower amount of customer data also makes sense because it can help limit the cost of any digital storage devices (or the cost of online cloud storage).

If you need help ensuring your business collects and stores customer data in line with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

What is the maximum level of fine from the ICO?

The ICO has the power to enforce fines of up to £17.5m against businesses in England. However, this is a ceiling and, realistically, penalties in the millions of pounds are relatively rare. In saying this, it is not uncommon for the ICO to hand out fines in the tens of thousands of pounds, so your business still needs to take heed of them and the relevant GDPR rules.

Why does the GDPR protect consumer privacy to such a high degree?

Because the GDPR (and, by extension, the ICO) believes that personally identifiable information (data that can identify an individual) is worth enhanced protection. Your organisation should take every reasonable step to protect this sensitive data.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards