GDPR for Repair Shops: How to Handle Customer Data Without Getting Fined
By Sajad, Co-founder at cellbot — 25 years in the tech repair industry Published: 15 July 2025
Right now, somewhere in a repair shop, there's a phone on a technician's bench. On that phone: family photos, WhatsApp messages, banking apps, medical records, passwords saved in the browser, and a camera roll that tells the story of someone's entire life. The customer handed it over because their screen cracked. They trusted you to fix the glass — not to become a custodian of their most private information.
GDPR makes that custodianship legally binding.
I've spent 25 years in the tech repair industry, most of it running CellTech in Birmingham. When GDPR came into force in May 2018, half the shops I knew either panicked or ignored it entirely. Neither response was right. GDPR for repair shops isn't about drowning in legal paperwork. It's about building the kind of trust that turns one-time customers into regulars — and avoiding the kind of complaint that can shut you down.
Key Takeaways - Repair shops occupy a dual role under GDPR: data controller (customer details you collect) and data processor (device content you incidentally access) — this dual framing is what makes repair shops unique - You need a privacy policy, GDPR-compliant intake forms with separate consent for marketing, and a data retention policy - Device data — photos, messages, contacts — is personal data under GDPR even if you never intentionally access it - The ICO fined a Berkshire car dealership £60,000 in 2023 for a data breach involving customer records stored insecurely — small businesses handling customer property are not exempt - A data breach involving a customer's device can trigger ICO enforcement
The Dual Role: Why Repair Shops Are Unique Under GDPR
When a customer books a repair — name, phone number, email, device model — you're a data controller, deciding what data to collect and why. That's straightforward.
But when that phone lands on your bench, you become something else: a data processor for someone else's personal data. The customer's contacts, messages, photos, and app data weren't shared with you intentionally. You didn't ask for them. But you have access during the repair, which creates obligations under UK GDPR regardless of whether you ever actually look at them.
This dual role is where most repair shops get confused — and where the ICO's expectations diverge from what a normal small business faces. A coffee shop is just a data controller. A repair shop is both.
Understanding this distinction shapes everything else: your privacy policy, your staff training, your intake forms, and your breach response procedures.
The 7 Things Every Repair Shop Must Do
1. Have a Privacy Policy That Actually Says Something
Your privacy policy must be accessible: link on your website footer, QR code in your shop, or a physical copy at the counter. It needs to cover:
What data you collect (contact details, device information, repair history)
Why you collect it (to carry out the repair, communicate, process payment)
Your lawful basis (legitimate interest for the repair, consent for marketing)
How long you keep records
Whether you share data with third parties (couriers, parts suppliers, payment processors)
Customer rights (access, deletion, correction, objection)
How to complain (including the ICO's contact details)
Write this yourself rather than using a template. At CellTech, I spent an afternoon writing ours in plain English. It took about two hours and covered everything because I actually knew what we did with customer data. A template would have either under-covered or over-covered our actual practices.
2. Capture Consent at Intake — Every Single Time
Your intake form is your frontline GDPR document. It should include:
A clear description of what data you're collecting and why
A tick box (not pre-ticked) confirming consent to store their details
A separate, optional tick box for marketing communications
A reference to your privacy policy
Critically, consent for the repair and consent for marketing must be separate. You can legitimately use someone's contact details to communicate about their repair without marketing consent. But promotional texts require a separate opt-in. Our customer communications guide covers how to structure these channels compliantly.
3. Only Collect What You Actually Need
Data minimisation is a core GDPR principle. If you don't need a customer's date of birth to fix their cracked screen, don't ask for it.
At CellTech, I audited our intake form in 2018 and removed three fields: home address (we only did walk-ins and never did collections), date of birth (no justification), and "How did you hear about us?" (marketing data that belonged on a separate optional form, not the GDPR-triggering intake form). Fewer fields meant faster intake, less liability, and cleaner compliance.
4. Store Customer Data Securely
"Appropriate" security for a repair shop means:
Customer data in a system with password protection, not a shared Excel file
Your business PC locked when unattended
Wi-Fi separated from any customer-facing network
Regular backups stored securely
Individual staff logins, not a shared password
5. Honour Deletion Requests
You must comply with a valid deletion request within one month. In practice, most customers never ask. But when they do:
Know where all their data lives (CRM, tickets, invoices, email, marketing lists)
Delete or anonymise it within the deadline
Confirm to the customer
Financial records need six-year HMRC retention, but personal identifiers can be stripped from those.
6. Know What to Do If You Have a Data Breach
A breach isn't just getting hacked. It includes:
A laptop with customer data being stolen
Accidentally emailing a customer's details to the wrong person
A staff member accessing data they had no reason to see
Losing a USB drive with customer records
In 2023, the ICO fined a Berkshire motor dealership £60,000 after customer records — including financial details — were found dumped in publicly accessible bins (ICO enforcement notice, 2023). The dealership argued they'd outsourced document destruction. The ICO's position: you're the data controller, the responsibility is yours regardless of who you hired to destroy the records.
For repair shops, the lesson is direct: if a technician takes photos of a customer's personal data from their device, or if your unencrypted laptop is stolen from the shop, the 72-hour clock starts ticking.
7. Train Your Staff
The ICO has prosecuted individuals, not just businesses, for GDPR violations. A technician who screenshots interesting content on a customer's phone and shares it in a WhatsApp group has committed a criminal offence under Section 170 of the Data Protection Act 2018. They might not know that.
Staff training doesn't need to be elaborate. A one-page policy, a conversation at onboarding, and annual refreshers:
Never access device content beyond what the repair requires
Never photograph or share customer data
Recognise and report potential breaches
Never give customer information to anyone who calls or walks in asking for it
How to Implement This in Your Shop
Digital intake forms with consent checkbox. Paper forms get lost and are hard to search. Digital forms create an automatic audit trail with timestamps.
A proper customer database, not a spreadsheet. Excel has no access controls, no audit logs, no retention enforcement, and no deletion workflow.
A device handling policy your technicians follow. One page: technicians access device content only to the extent necessary for the repair. Navigating a photo library to diagnose a camera fault is within scope. Browsing messages is not.
A data retention policy. Industry standard is 12-24 months for repair records, after which they're deleted or anonymised. Financial records: six years (HMRC). At CellTech, we settled on 18 months for repair data — long enough for warranty disputes, short enough to stay compliant.
Common GDPR Mistakes I've Seen
WhatsApp customer groups. A lot of shops run these. WhatsApp's servers are in the US, customer names and numbers are visible to everyone, and there's no consent mechanism.
Unsecured spreadsheets. The customer database in an Excel file that every staff member — and sometimes delivery drivers — has access to. This is the most common data security failure in small repair shops.
Keeping data forever "just in case." Records from 2017 still in the system because "they might need warranty support" for a phone that's been in landfill for four years.
Staff sharing device content. Criminal, not just regulatory. I've heard stories about technicians sharing screenshots of customers' private photos. That's a Section 170 DPA offence.
No breach response plan. Most small shops don't know what they'd do if their system was compromised. The 72-hour ICO reporting deadline sounds reasonable until it's 2am on a Sunday and your laptop was taken in a break-in.
What Happens If You Get It Wrong?
The ICO can issue fines up to £17.5 million or 4% of annual turnover. In practice, fines for small businesses without previous violations tend to be in the thousands, not millions.
The ICO doesn't typically come knocking unprompted. They respond to complaints. A customer files a complaint, the ICO investigates, and you demonstrate what measures you had in place.
The more serious risk for a repair shop is reputational. A customer who posts on Google that you "looked through their phone" can do enormous damage to a local business. Even if the allegation isn't fair, the suspicion deters customers. GDPR compliance is, ultimately, a trust exercise.
Quick Self-Assessment
If you're reading this and thinking "we're probably not compliant":
Do you have a privacy policy that describes your actual practices? (Yes / No)
Do you capture documented consent at intake for every customer? (Yes / No)
Is your customer database stored securely with access controls? (Yes / No)
Do you have a data retention policy and enforce it? (Yes / No)
Do you know what you'd do if you had a data breach tonight? (Yes / No)
Have you briefed your staff on basic GDPR obligations? (Yes / No)
If you answered No to more than two, start with the intake form and the privacy policy — those are the most visible to customers and the most likely subjects of a complaint.
Frequently Asked Questions
Do small repair shops have to comply with GDPR?
Yes. UK GDPR applies regardless of size. There is no small business exemption. The ICO expects proportionate compliance, but the legal obligations are the same for a one-person shop as for a chain.
Do I need to register with the ICO?
Most businesses must pay the ICO's data protection fee, starting at £40/year. The ICO actively pursues unpaid fees. Check their self-assessment tool at ico.org.uk.
What should I do if a customer asks to see all the data I hold on them?
Respond to the Subject Access Request within one month at no charge. Provide all personal data you hold, an explanation of why you hold it, and information about their rights.
Can I use contact details to send marketing messages?
Not without specific, separate marketing consent. You can contact a customer about their repair, but promotional messages require an explicit opt-in.
What if a customer's data is on the device I'm repairing?
You are incidentally processing that data. Document this in your privacy policy, train staff not to access content beyond what the repair requires, and don't retain copies.
How long should I keep repair records?
Industry practice: 12-24 months for repair records, six years for financial records (HMRC). State your retention period in your privacy policy and enforce it consistently.
Do I need a Data Processing Agreement with my software provider?
Yes. Under Article 28 of UK GDPR, any third-party processing customer data on your behalf requires a written DPA. If a provider refuses to sign one, find a different provider.
The Bottom Line
GDPR compliance isn't a one-time project. It's an ongoing commitment to handling your customers' data with the same care you'd want your own data handled.
The repair shop industry is built on trust. Customers hand over devices containing more intimate data than most people's homes. GDPR formalises that trust into legal obligations — most of which are just good business practice with paperwork attached.
Start with the basics: register with the ICO, create a real privacy policy, build consent into your intake, move customer data to a secure system, and brief your staff.
More on starting a repair business: Phone Repair Shop Startup Costs 2026: The Real Numbers · How to Start a Phone Repair Business in 2026: The Complete Guide · Is Phone Repair a Good Business in 2026? An Honest Assessment · Phone Repair Franchise vs. Independent Shop: Which Path Is Right for You?
