Personal Data Categories By Business Activity In The United Kingdom
Created:
This dataset helps you understand which types of personal data may be processed across common business activities, making it easier to assess privacy obligations and improve documentation. It is especially useful when creating or reviewing an AI Generated British Privacy Policy.
Processing Activity | Personal Data Examples | Data Sensitivity Level | Processing Purpose | Disclosure Notes |
|---|---|---|---|---|
Account management | ||||
Customer account registration | Name, email address, password, username, phone number | Medium | Create and manage user accounts | Explain account creation, authentication, required fields, and use of identity or hosting providers. |
Customer profile management | Profile name, contact details, preferences, saved addresses, account settings | Medium | Personalise and administer customer accounts | Describe editable profile data, personalisation use, and service provider access. |
Account management, Security | ||||
Login authentication | Email address, password hash, login time, IP address, device data | Medium | Verify user identity and protect accounts | Explain authentication logs, password security, and anti-abuse monitoring. |
Password reset | Email address, reset token, IP address, time stamp | Medium | Restore account access securely | State that reset links and security logs are used to prevent unauthorised access. |
Multi-factor authentication | Phone number, authenticator identifier, device ID, verification codes | Medium | Add account security verification | Identify MFA providers and explain use of phone or device data for verification. |
Account management, Orders and payments | ||||
Subscription management | Name, email, plan type, renewal date, billing status | Medium | Administer paid or recurring services | Explain renewals, cancellations, billing communications, and payment platform sharing. |
Account management | ||||
Preference centre management | Communication preferences, topic interests, consent records, opt-out status | Low | Record user choices and consent preferences | Explain preference recording and sharing with email or CRM platforms. |
Customer support | ||||
Customer support enquiries | Name, email, account ID, enquiry content, support history | Medium | Respond to customer questions and issues | Describe helpdesk systems, internal access, and retention of support correspondence. |
Live chat support | Chat messages, name, email, IP address, browser data | Medium | Provide real-time customer assistance | Name chat providers and state whether transcripts are stored or reviewed. |
Telephone support | Phone number, call notes, account details, issue description | Medium | Handle support calls and follow-ups | Explain call handling, notes, telephony providers, and any call recording. |
Customer support, Security, Legal administration | ||||
Call recording | Voice recording, phone number, call time, call content | High | Quality monitoring, training, dispute evidence | Disclose recording purposes, retention, access controls, and how callers are notified. |
Customer support, Legal administration | ||||
Complaints handling | Complainant details, complaint content, evidence, correspondence | High | Investigate and resolve complaints | Explain escalation, professional adviser access, and disclosure to regulators if required. |
Customer support, Service delivery | ||||
Product feedback surveys | Name, email, ratings, comments, usage opinions | Low | Improve products and customer experience | State whether feedback is anonymous, published, or shared with survey providers. |
Orders and payments | ||||
Online orders | Name, email, delivery address, order items, order number | Medium | Process and fulfil customer orders | Explain order processing, confirmation emails, fulfilment partners, and retention for records. |
Payment processing | Billing name, billing address, payment token, transaction ID, card last four digits | High | Take and verify customer payments | Identify payment processors and avoid implying full card data is stored unless true. |
Orders and payments, Legal administration | ||||
Invoicing | Name, business name, billing address, VAT number, transaction details | Medium | Issue invoices and keep tax records | Explain accounting records, tax compliance, accountants, and HMRC disclosure where required. |
Orders and payments, Customer support | ||||
Refunds and returns | Order number, payment reference, return reason, address, correspondence | Medium | Process refunds, exchanges, and returns | Describe sharing with payment processors, couriers, and customer support teams. |
Orders and payments, Service delivery | ||||
Delivery and shipping | Recipient name, postal address, phone number, delivery instructions | Medium | Deliver goods or service materials | Identify courier or fulfilment sharing and any delivery tracking communications. |
Orders and payments, Security, Legal administration | ||||
Fraud screening | Name, address, payment data, IP address, device data, risk scores | High | Detect and prevent fraud | Explain fraud checks, automated scoring if used, and sharing with fraud prevention agencies. |
Orders and payments, Legal administration | ||||
Debt recovery | Contact details, unpaid balances, invoices, payment history, correspondence | High | Recover unpaid amounts | Disclose sharing with debt collection agencies, solicitors, courts, or credit reference agencies if applicable. |
Service delivery | ||||
Service onboarding | Name, email, role, organisation, onboarding responses | Medium | Set up access and configure services | Explain onboarding forms, access setup, and use of project or CRM tools. |
Service delivery, Legal administration | ||||
Contract performance | Contact details, service requirements, correspondence, deliverables | Medium | Provide contracted services | Link data use to service provision and identify subcontractors or platform providers. |
Service delivery, Customer support | ||||
Appointment booking | Name, email, phone number, appointment time, booking notes | Medium | Schedule and manage appointments | Disclose booking platforms, reminders, cancellation handling, and calendar integrations. |
Service delivery | ||||
Document generation services | Questionnaire answers, names, addresses, business details, document content | High | Generate requested legal or business documents | Explain user input processing, AI or automation use, storage, and confidentiality safeguards. |
Service delivery, Security | ||||
AI prompt processing | Prompt text, uploaded content, user ID, generated outputs, usage logs | High | Provide AI-assisted outputs and monitor misuse | Disclose AI providers, whether prompts are retained or used for training, and user precautions. |
Service delivery, Account management | ||||
Service usage analytics | User ID, feature use, session events, device data, timestamps | Medium | Measure and improve service performance | Explain analytics tools, pseudonymisation, cookie use, and opt-out choices where available. |
Account management | ||||
Email marketing | Email address, name, marketing preferences, engagement data | Medium | Send promotional or informational emails | Explain consent or soft opt-in, unsubscribe links, and email platform tracking. |
SMS marketing | Mobile number, name, opt-in status, message history | Medium | Send promotional text messages | State consent basis, opt-out method, message providers, and frequency expectations. |
Customer support, Service delivery | ||||
Website contact forms | Name, email, phone number, message content, IP address | Medium | Receive and respond to enquiries | Explain routing to CRM, email, spam filtering, and response handling. |
Recruitment | ||||
Recruitment applications | CV, cover letter, contact details, employment history, qualifications | High | Assess suitability for roles | Explain applicant tracking systems, hiring manager access, and unsuccessful applicant retention. |
Interview scheduling | Name, email, phone number, availability, interview notes | Medium | Arrange and conduct interviews | Mention calendar tools, interview panels, video platforms, and recording if used. |
Recruitment, Legal administration | ||||
Right to work checks | Passport details, immigration status, date of birth, share code, copies of documents | High | Verify legal right to work in the UK | Explain statutory checks, document retention, and possible Home Office verification. |
Recruitment | ||||
Employment references | Referee contact details, role history, performance comments, dates of employment | High | Verify candidate background and experience | State when references are sought, who is contacted, and how reference data is used. |
Recruitment, Legal administration | ||||
Criminal record checks | Identity details, DBS certificate information, criminal offence data | High | Assess role suitability and safeguarding risk | Disclose DBS checks only where relevant, lawful basis, access restrictions, and retention limits. |
Equality monitoring in recruitment | Age range, sex, ethnicity, disability status, religion, sexual orientation | High | Monitor equal opportunities | Explain voluntary collection, separation from selection decisions, and aggregated reporting. |
Events | ||||
Event registration | Name, email, organisation, ticket type, attendance preferences | Medium | Register attendees and manage event access | Name ticketing platforms and explain attendee communications and badge details. |
Event dietary requirements | Dietary needs, allergy information, accessibility requests, attendee name | High | Provide safe and accessible event arrangements | Warn that some dietary or accessibility data may reveal health or religious information. |
Event photography | Images, video, name tags, speaker details, audience participation | Medium | Record and promote events | Explain photography notices, publication channels, opt-out zones, and consent for close-up promotional use. |
Events, Service delivery | ||||
Webinar hosting | Name, email, attendee logs, questions, chat messages, recording | Medium | Deliver online events and training | Identify webinar platforms and state whether recordings, chats, and attendance reports are retained. |
Security, Events | ||||
Premises visitor logs | Visitor name, organisation, host, arrival time, departure time, vehicle registration | Medium | Manage site access and safety | Explain visitor log retention, building management access, and emergency use. |
Security | ||||
CCTV monitoring | Video images, time, location, vehicle registration, incident footage | High | Protect premises, staff, visitors, and assets | Disclose CCTV locations, signage, retention, access controls, and police disclosure routes. |
Access control systems | Name, access card ID, entry logs, role, location, time stamps | Medium | Control access to systems or premises | Explain access logs, monitoring, administrators, and security incident use. |
Biometric access control | Fingerprint template, facial template, access logs, user ID | High | Verify identity for secure access | Explain biometric necessity, alternatives, template storage, and special category safeguards. |
Network security monitoring | IP address, device identifiers, login logs, traffic metadata, alerts | High | Detect threats and protect systems | Describe security logging, monitoring tools, retention, and incident response sharing. |
Security, Service delivery | ||||
Website cookies | Cookie IDs, device data, session IDs, preferences, analytics events | Medium | Operate, secure, and analyse websites | Provide cookie purposes, consent controls, third-party cookies, and retention periods. |
Security, Legal administration | ||||
Security incident response | Affected user details, incident logs, breach evidence, communications | High | Investigate, contain, and report incidents | Explain possible disclosure to ICO, affected individuals, IT providers, insurers, and law enforcement. |
Legal administration, Customer support | ||||
Data subject rights requests | Requester identity, correspondence, request details, response records | High | Handle UK GDPR rights requests | Explain identity verification, response process, exemptions, and record keeping. |
Legal administration | ||||
Legal claims management | Claimant details, evidence, correspondence, contracts, witness information | High | Establish, exercise, or defend legal claims | Disclose sharing with solicitors, insurers, courts, experts, and counterparties. |
Regulatory compliance records | Contact details, compliance evidence, audit trails, declarations, policy acknowledgements | High | Meet legal and regulatory obligations | Identify regulators, auditors, advisers, and statutory retention duties where applicable. |
Legal administration, Service delivery | ||||
Supplier contact management | Business contact name, work email, phone number, role, correspondence | Low | Manage supplier relationships and contracts | Explain business contact processing, procurement systems, and adviser access. |
Legal administration | ||||
Insurance administration | Policyholder details, claim details, incident reports, health or injury information | High | Arrange insurance and manage claims | Disclose sharing with insurers, brokers, loss adjusters, medical experts, and solicitors. |
Company secretarial records | Director names, service addresses, shareholdings, signatures, meeting minutes | Medium | Maintain statutory company records | Explain Companies House filings, public registers, advisers, and corporate record retention. |
Legal administration, Security | ||||
Safeguarding reports | Names, incident details, welfare concerns, health information, family details | High | Protect children or vulnerable people | Explain safeguarding disclosures to local authorities, police, schools, or care bodies where lawful. |
Account management, Security, Legal administration | ||||
Age verification | Date of birth, age range, identity document, verification result | High | Restrict age-gated services or content | Explain age checks, verification providers, minimisation, and child privacy safeguards. |
What Personal Data Should A UK Privacy Policy Cover?
A UK privacy policy should map each business activity to the personal data actually used, not just list broad labels such as contact details. The dataset shows that account management, orders, support, service delivery, recruitment, events, security, and legal administration commonly involve different data types, purposes, and disclosures.
Which Activities Usually Need Extra Care?
- Recruitment, accessibility, health, safeguarding, fraud prevention, CCTV, biometrics, and legal claims often involve high-sensitivity data or special category/criminal offence data under UK GDPR and the Data Protection Act 2018.
- Payments, identity checks, security logs, complaints, and debt recovery may involve financial, fraud, or dispute data and should explain retention, recipients, and security safeguards clearly.
- Marketing, analytics, cookies, call recording, and event photography need specific transparency about tracking, consent where required, and opt-out rights.
What Disclosures Are Most Useful In A Privacy Policy?
- State the processing purpose for each activity, such as fulfilling orders, providing support, assessing candidates, or maintaining security.
- Name the categories of recipients, such as payment processors, delivery partners, hosting providers, background-check providers, professional advisers, insurers, and law enforcement where relevant.
- Flag whether data may be special category data, criminal offence data, or data collected through monitoring technologies such as CCTV, cookies, access logs, or call recordings.
- For UK users, make sure the privacy policy aligns with transparency duties under UK GDPR Article 13, the Data Protection Act 2018, and cookie rules under PECR.

Want to Generate Your own Privacy Policy?
Docaro AI can help you write your own Privacy Policy for use in the United Kingdom in minutes.
FAQs
It is a reference page showing common types of personal data collected by different UK business activities, helping organisations prepare accurate privacy policies.
Show All FAQs
You Might Also Be Interested In

UK privacy policy clause catalogue for reviewing common wording, compliance topics, and drafting guidance.

UK GDPR lawful basis reference for compliant data processing, privacy notices, and British privacy policy preparation.