You're holding renters' ID and licence data. Here's what UK GDPR expects
A small hire firm is a data controller, camera roll and all. The rules are simpler than they sound, and most of them are just good hygiene.
- A three-car hire firm is a data controller. There is no small-business exemption.
- You rarely need consent: the hire contract and fraud prevention are your lawful bases. Tell people what you keep.
- Set a retention rule in months, not forever, and keep records somewhere with a login, not your camera roll.
- Most small controllers owe the ICO's £40-tier fee, and any renter can demand a copy of everything you hold.
Scroll back through your camera roll. Licence photos from hires you did two years ago. A passport in your downloads folder. A WhatsApp thread where somebody sent a selfie holding their ID. If you run a small hire operation, some version of that archive exists, and UK GDPR has opinions about it.
To be clear once, up front: this is practical hygiene, not legal advice. The ICO's own small-business guidance is readable and free, and for anything contested you want a professional. What follows is the plain-English version of what the law expects from an operator like you, and none of it is difficult.
You are a data controller. There is no small-business pass.
A data controller is anyone who decides why and how personal data gets processed. You collect renters' details, decide what to keep, and decide what to do with it, so that is you, even as a sole trader with three cars and an Instagram page. UK GDPR scales some expectations with size, but it does not exempt you, and the ICO regulates one-person firms as well as airlines.
What counts as personal data here
More than you would guess:
- ID and licence photos, and passport copies.
- Driving licence numbers and DVLA check results, including points and endorsements.
- Names, addresses, dates of birth, phone numbers, and payment details.
- Condition photos with people in them: a renter in shot, a face in a windscreen reflection. Still personal data.
The licence data deserves respect. A licence photo carries enough to open accounts and pass checks in someone else's name, which is exactly why fraud runs on stolen copies of it.
The basics, in plain English
Have a lawful basis. You do not need consent for most of this, and consent would be the wrong tool anyway. Checking identity and the licence, and holding the signed agreement, is processing necessary for the hire contract. Keeping evidence to prevent fraud and defend disputes is a legitimate interest. What you do need is to know which basis covers what, so you can say it if asked.
Tell people what you keep. A short line in the booking chat, "we verify your ID and licence and keep the hire record for X months, here's our privacy page", beats silence by a distance. If you have a website, a plain privacy page belongs on it. Nobody expects a small operator to write like a law firm. They do expect you not to collect in secret.
Keep only what you need. Do you need a full-resolution copy of the licence forever, or the fact that it was checked and passed on a date? For most hires the check result and the signed agreement carry the weight, not the raw document.
Keep it only as long as you need it. There is a genuine reason to retain hire records: damage claims and disputes surface late. So set a retention rule that reflects that, months and a review, not "forever by default", write it down, and actually delete when the clock runs out.
Keep it somewhere safer than your camera roll. A phone gallery syncs to personal cloud accounts, backs itself up to devices your family uses, and has no access control. A WhatsApp thread is worse: it lives on two phones, one of which is not yours. Hire records belong somewhere with a login, organised by booking, not scattered between apps built for holiday photos.
The £40 the ICO expects
Most businesses that process personal data must pay the ICO's data protection fee. For the smallest firms it is the lowest tier, £40 a year, less with direct debit, and registration takes a few minutes online. Not paying it is enforceable with penalties, and it is the first thing that gets checked if a renter ever complains about you. For a hire operation holding ID documents, skipping registration is a strange £40 to save.
The subject access request
Any renter can ask you for a copy of everything you hold about them. It is called a subject access request, it is free for them, and you normally have a month to answer. If your records are spread across a camera roll, three chat threads, and a notebook, that month will be a bad one. If every hire is one record tied to one booking, it is an email. The same organisation that wins you damage disputes makes this a non-event.
The camera-roll problem, specifically
The habit worth breaking is hoarding licence photos in your gallery indefinitely. It fails every test at once: a sensitive document, no retention rule, synced to accounts you do not think of as business systems, in your pocket in every pub. Lose the phone, or a cloud account, and you are looking at a data breach involving identity documents, which can be the kind you have to report. Delete the archive you do not need. Move what you do need into something with a lock on it.
The compliant default
KeyProof was built data-protection-first, because the founding problem was operators holding proof without hoarding documents. The renter verifies through one link, and what lands on your side is the outcome: identity verified, licence checked, agreement signed, condition and deposit logged, tied to the booking and retained on rules rather than forever. You get the record that defends you, without a camera roll full of other people's ID. For a small operator, that is what compliant looks like by default. See how it works.
KeyProof turns this into one link. Verified ID, a DVLA licence check, an e-signed agreement, condition photos, and the deposit, captured to one record at every handover.