GDPR compliance taxi operators are getting wrong right now
GDPR compliance for taxi operators is one of those things that gets pushed to the bottom of the list, somewhere below fixing the car and chasing invoices. But the Information Commissioner’s Office doesn’t care how busy you are. Fines for non-compliance start at £8.7 million or 2% of annual turnover, and the ICO has been increasingly active in investigating transport and logistics businesses since 2023. If you’re running a taxi or private hire operation in the UK and you’re collecting passenger names, phone numbers, pickup addresses and payment details, you are a data controller. Full stop.
Most guides to GDPR are written for large corporations with legal teams. This one is written for taxi operators running fleets of any size, from owner-drivers to 200-vehicle companies.
What data are you actually collecting?
Before you can manage passenger data GDPR rules properly, you need a clear picture of what you’re holding. Most operators collect more than they realise.
Booking records typically include passenger name, phone number, pickup and drop-off addresses, booking time, fare amount, and sometimes notes like “passenger uses a wheelchair” or “regular customer, always tips”. That last type is particularly sensitive. Any data about a person’s physical characteristics or health is special category data under GDPR, which carries stricter rules.
Beyond passengers, you’re also holding driver data. Licence numbers, DBS check results, vehicle documents, bank details for payment, and in many cases, GPS location data generated during shifts. Driver data has its own set of obligations, and a lot of operators treat it as an afterthought.
Data minimization: collect less, worry less
The GDPR principle of data minimization is one of the most practically useful rules in the whole regulation. You should only collect data that’s necessary for the specific purpose you have. For a taxi booking, that means name and contact number are probably necessary. Date of birth, almost certainly not. Email address, only if you’re actually going to use it to send a receipt or confirmation.
We’ve seen operators collecting fields in their booking systems that haven’t been used in years, simply because the form was set up that way at launch. Go through your booking form and your dispatch system. If you can’t explain why you need a field, remove it. Less data means less exposure if something goes wrong.
Modern automated taxi dispatch software should let you configure exactly which fields are required and which are optional, so you’re not forcing drivers or controllers to collect data they don’t need.
Privacy notices: passengers need to know what you’re doing with their data
Every taxi operator who collects personal data needs a privacy notice. Not buried in a terms and conditions PDF nobody reads, but somewhere accessible. If you have an app, there should be a link to your privacy policy on the booking screen. If you take phone bookings, your website needs a clear privacy page, and your team should be able to tell passengers where to find it.
Your privacy notice needs to cover what data you collect, why you collect it, how long you keep it, who you share it with (including dispatch software providers, payment processors, and any vehicle tracking companies), and how passengers can request deletion of their data.
Writing one from scratch is annoying but not complicated. The ICO has a free template tool at ico.org.uk. Use it. Don’t copy one from another company’s website.
Booking record retention: how long is too long?
GDPR doesn’t give you a fixed number of days to keep booking records. Instead, it says you should keep data for no longer than necessary for the purpose it was collected. The problem is that “necessary” has more than one answer depending on the record type.
For dispute resolution, keeping booking records for 6 to 12 months is defensible. If a passenger disputes a charge or a driver makes a complaint, you’ll need that history. For accounting purposes, HMRC requires you to keep financial records for 6 years. Booking records that contain fare information therefore have a legitimate reason to be kept for that period, but ideally with passenger identifiers removed or anonymised once the dispute window has passed.
The worst thing you can do is keep everything forever because storage is cheap. That’s the kind of thinking that turns a minor data breach into a major ICO investigation.
Set a retention schedule and document it. Something like: booking records retained for 12 months, fare/financial records retained for 6 years with passenger PII removed after 12 months, driver records retained for 2 years post-employment. Review it annually.
Driver document storage and taxi operator data protection
Taxi operator data protection obligations extend fully to your drivers. DBS check results are special category criminal record data. You’re allowed to hold a summary (cleared/not cleared, date of check) but holding the full certificate detail long-term is harder to justify under GDPR.
Driver licences, vehicle insurance certificates, and MOT documents should be stored securely, with access limited to people who genuinely need it. A shared folder that every controller can browse isn’t good enough. Access controls matter.
Location data generated by your dispatch system during driver shifts is also personal data. If you’re using route optimization in your taxi dispatch system, that system is generating detailed movement records for each driver. Your drivers need to know this is happening, and you need to have a legitimate basis for it (which, for running a dispatch operation, isn’t hard to establish, but you still need to document it).
The right to erasure: handling deletion requests
Passengers and drivers can ask you to delete their personal data. Under GDPR, this is called the right to erasure, and you generally have one month to respond. You don’t have to comply in all circumstances. If you need the data to comply with a legal obligation (like those 6-year accounting records) you can refuse that part of the request, but you need to explain why.
What you can’t do is ignore the request, lose it, or respond three months later. Keep a log of data subject requests. Note when they came in and what you did. If the ICO ever investigates you, that log shows you’re taking the regulation seriously.
Your dispatch software should make deletion possible without destroying your entire database. If deleting one passenger’s records requires you to manually edit raw database tables, that’s a problem worth raising with your software provider. Good taxi dispatch software should support data management functions, not just operational ones.
GDPR breach notification: what to do when something goes wrong
A data breach doesn’t have to mean a hack. Sending a booking confirmation to the wrong passenger is a breach. A driver leaving their phone (with booking history on it) on a train is a breach. A controller emailing a passenger list to the wrong address is a breach.
Not every breach needs to be reported to the ICO, but you need to assess each one. If the breach is unlikely to result in risk to individuals, you don’t have to notify, but you do have to document it internally. If there’s a likely risk, you must notify the ICO within 72 hours. If there’s a high risk to individuals (like financial data or health information being exposed), you also need to notify the affected people directly.
72 hours sounds like a lot of time. When it’s 11pm on a Friday and you’ve just discovered a problem, it isn’t. Have a simple written procedure your team can follow, even if it’s just a one-page document. Who to call, what to document, how to submit a breach report to the ICO. Do it now, before you need it.
How dispatch software helps with GDPR compliance taxi operators need
The right dispatch system doesn’t make GDPR automatic, but it makes compliance significantly more manageable. Centralised booking records mean you know exactly where your data is. Role-based access controls mean controllers only see what they need to. Automated data retention tools mean old records get flagged or purged on a schedule without someone having to remember.
If you’re running a small fleet and still managing bookings in a spreadsheet, the practical reality is that GDPR compliance gets very hard very fast. A proper system gives you the audit trail and the controls the regulation expects you to have. If you’re evaluating options, our guide to the best taxi dispatch software for small UK fleets covers what to look for.
The other practical angle is passenger consent for marketing. If you want to send promotional texts or emails to past passengers, you need explicit consent collected at booking. Most dispatch systems can handle consent capture at the booking stage, but you need to configure it and make sure your privacy notice explains exactly what passengers are opting into.
Getting your compliance in order: where to start
Start with a data audit. Write down every type of data you collect, where it lives, who can access it, and how long you keep it. That document is called a Record of Processing Activities (ROPA) and GDPR technically requires you to have one if you process data regularly. Most taxi operators don’t have one. Most should.
Then check your privacy notice exists and is current. Then set a retention schedule. Then make sure your team knows what to do with a data subject request or a breach. None of this requires a lawyer if your operation is straightforward. The ICO’s website has free guidance written specifically for small businesses.
If you want to see how CAB-X handles data management within the dispatch platform, get in touch with our team and we can walk you through the specific features. And if you’re still deciding whether a full dispatch system is right for your operation, our pricing page breaks down what you get at each level.
GDPR compliance for taxi operators isn’t complicated once you break it down. But waiting until there’s a problem to think about it is a genuinely bad idea.
Frequently Asked Questions
Do taxi operators need to comply with GDPR?
Yes. Any UK taxi or private hire operator that collects passenger names, phone numbers, addresses or payment details is a data controller under GDPR and must comply with all relevant obligations. This applies to owner-drivers as well as large fleets.
How long can taxi operators keep passenger booking records?
GDPR doesn’t set a fixed period, but most operators can justify keeping booking records for 6 to 12 months for dispute resolution. Financial records linked to bookings may need to be retained for 6 years to meet HMRC requirements, ideally with passenger personal details removed after the dispute window closes.
What counts as a data breach for a taxi company?
A data breach is any accidental or unlawful destruction, loss, alteration, or unauthorised access to personal data. For taxi operators, this includes sending a booking confirmation to the wrong person, a driver losing a phone with booking data on it, or a controller emailing a passenger list to the wrong address.
Can passengers ask a taxi operator to delete their data?
Yes. Under GDPR’s right to erasure, passengers can request deletion of their personal data and operators generally have one month to respond. Operators can decline if they have a legal obligation to retain the data, such as financial records, but must explain the reason in writing.
Does taxi dispatch software help with GDPR compliance?
Good dispatch software helps by centralising data storage, providing access controls so staff only see what they need, and supporting data retention schedules. It doesn’t make compliance automatic, but it’s considerably easier to demonstrate compliance when your data is in one managed system rather than spreadsheets and paper logs.
